IETF Logo Mail Archive

Re: [Tsvwg] SCTP and ICMP Protocol Unreachable

Stephane Chazelas <Stephane@artesyncp.com> Fri, 22 September 2006 09:52 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1GQhhZ-0008D6-Nb; Fri, 22 Sep 2006 05:52:09 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1GQhhY-0008Cw-DA for tsvwg@ietf.org; Fri, 22 Sep 2006 05:52:08 -0400
Received: from caly80.spider.com ([194.217.109.12]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1GQhhW-0002o4-Td for tsvwg@ietf.org; Fri, 22 Sep 2006 05:52:08 -0400
Received: from no.name.available by caly80.spider.com via smtpd (for ietf-mx.ietf.org [156.154.16.150]) with ESMTP; Fri, 22 Sep 2006 10:52:02 +0100
Received: from mailhub.spider.com (mailhub.spider.com [212.240.99.13]) by caly80.spider.com (Postfix) with ESMTP id 9C5A96F56; Fri, 22 Sep 2006 10:51:57 +0100 (BST)
Received: from mailhub.spider.com by mailhub.spider.com via smtpd (for [172.16.254.22] [172.16.254.22]) with ESMTP; Fri, 22 Sep 2006 10:51:57 +0100
Received: from ant.artesyncp.com ([10.95.129.182]) by batistuta.spider.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id T24275N8; Fri, 22 Sep 2006 10:46:15 +0100
Received: from stephane by ant.artesyncp.com with local (Exim 4.63) (envelope-from <stephane@artesyncp.com>) id 1GQhhN-0002b8-GW; Fri, 22 Sep 2006 10:51:57 +0100
Date: Fri, 22 Sep 2006 10:51:57 +0100
From: Stephane Chazelas <Stephane@artesyncp.com>
To: Randall Stewart <rrs@cisco.com>
Subject: Re: [Tsvwg] SCTP and ICMP Protocol Unreachable
Message-ID: <20060922095157.GC28642@artesyncp.com>
Mail-Followup-To: Randall Stewart <rrs@cisco.com>, sctp-impl@cisco.com, bidulock@openss7.org, Michael Tuexen <Michael.Tuexen@micmac.franken.de>, sctp-impl@external.cisco.com, IETF Transport Area Mailing List <tsvwg@ietf.org>
References: <161FAFDF-8B94-48B5-8477-0F2F85B75627@micmac.franken.de> <20060920094032.GA28221@artesyncp.com> <20060920055135.A30614@openss7.org> <9C48BA4E-7C94-4EF6-B2FD-3AD374552CF3@micmac.franken.de> <20060920120115.A5094@openss7.org> <2FB2577B-5E0D-4565-BD75-C8CFCD924D95@micmac.franken.de> <20060920123634.A6026@openss7.org> <451266D7.9090202@lakerest.net> <20060921132657.GF28221@artesyncp.com> <4512E2ED.8010702@cisco.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <4512E2ED.8010702@cisco.com>
User-Agent: mutt-ng/devel-r562 (Linux)
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 5a9a1bd6c2d06a21d748b7d0070ddcb8
Cc: Michael Tuexen <Michael.Tuexen@micmac.franken.de>, sctp-impl@cisco.com, sctp-impl@external.cisco.com, bidulock@openss7.org, IETF Transport Area Mailing List <tsvwg@ietf.org>
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
Errors-To: tsvwg-bounces@ietf.org

On Thu, Sep 21, 2006 at 03:07:25PM -0400, Randall Stewart wrote:
[...]
> >>If you instead remove the ICMP message treated as an ABORT
> >>you loose the ability to penalize attackers..
> >But what harm could the attacker do?
> Go take a look at the bombing attacks listed
> in the threats draft...

Hi Randall,

Maybe I'm not reading it correctly, but for some of those
bombing attacks, there's more of a justification to drop the
Protocol Unreachable.

http://www.ietf.org/internet-drafts/draft-ietf-tsvwg-sctpthreat-01.txt

5) is taken care of by the change to the RFC that every address
must be confirmed first. So that only heartbeats are sent to the
victims

6) the attacker will be able to resend its cookie quickly because
the server considers the ICMP DUPrU as an ABORT. If it didn't it
would have to close the association first.

8,9) unrelated.

So it looks like an attacker can always have a server send a
burst of heartbeats to victims whether or not the ICMP DUPrU is
considered as an ABORT or not.

[...]
> >I can see firewalls send "port unreachables" when filtering on
> >TCP services, that's a host level ICMP message as well.
> 
> Port unreachable is even a stretch IMO.. but announcing
> that a host does not support a protocol is way over
> the top.. and is just plain broken.
[...]

Given that firewalls work at transport level, it may be
considered legitimate that they inpersonate the destination. A
firewall is a bit of a hack anyway. The problem is that IP
doesn't provide them with tools to do their job, so they have to
use hacks/work around. There's no ICMP to say "sorry, no TCP
telnet on that path", so they have to fake a DUPoU from the
destination instead. Similarly, there's no way to tell "sorry,
no SCTP on that path", so they use the ICMP DUPrU.

I'm not trying to push in either direction, I'm just pointing
out that potential issue. The behavior of SCTP (considering the
ICMP DUPrU as an abort) conflicts with that behavior of some
firewalls. Now, we may question ourselves whether that bahavior
is necessary. Maybe the right approach is to come up with new
ICMP codes for usage by the firewalls.

Best regards,
Stephane

v2.23.0 | Report a Bug | By Email