Re: [tcpm] WG Last Call for ICMP Attacks

To: "Smith, Donald" <Donald.Smith at qwest.com>
Subject: Re: [tcpm] WG Last Call for ICMP Attacks
From: Joe Touch <touch at ISI.EDU>
Date: Wed, 02 Sep 2009 14:08:45 -0700
Cc: 'tcpm Extensions WG' <tcpm at ietf.org>, 'David Borman' <david.borman at windriver.com>
Delivered-to: tcpm at core3.amsl.com
In-reply-to: <B01905DA0C7CDC478F42870679DF0F1005B64E383D at qtdenexmbm24.AD.QINTRA.COM>
List-archive: <http://www.ietf.org/mail-archive/web/tcpm>
List-help: <mailto:tcpm-request@ietf.org?subject=help>
List-id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-post: <mailto:tcpm@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
References: <F1534040-EA0D-44E4-98F7-67C24CD12CCF at windriver.com> <B01905DA0C7CDC478F42870679DF0F1005B64E383D at qtdenexmbm24.AD.QINTRA.COM>
User-agent: Thunderbird 2.0.0.23 (Windows/20090812)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



Smith, Donald wrote:
> 1.
> ICMP [RFC0792] is a fundamental part of the TCP/IP protocol suite,
>    and is used mainly for reporting network error conditions.
> 
> ICMP is part of the IP protocol suite.
> 
> 2.2
> Therefore, in the case of TCP, an attacker could send a forged ICMP
>    message to the attacked system, and, as long as he is able to guess
>    the four-tuple (i.e., Source IP Address, Source TCP port, Destination
>    IP Address, and Destination TCP port) that identifies the
>    communication instance to be attacked, he will be able to use ICMP to
>    perform a variety of attacks.
> 
> Forged usually implies that source ip address has been spoofed usually to come from some type of trusted host.
> Crafted is the term generally used to mean the packets contents (not header) were modified.
> In this case there is no need to spoof the source ip address as the end host has no knowledge about the routers in between them and the end host system. So I recommend you change forged to crafted.

I've not heard that there was such clarity on the term forged or
crafted, but neither is the case here.

The attacker emits an ICMP message. It doesn't need a falsified header.
It doesn't need to be a "modified" packet. E.g., it can be created based
on information seen on the media.

It might just be called a "false ICMP message", i.e., it's reporting an
event that didn't happen.

Joe
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkqe3t0ACgkQE5f5cImnZrvj4QCeLodfjABk7/bGxLSU9wv4dV+N
0foAoJ5qPOCkzsS/w0kvpuOzJdChMcCb
=BJU2
-----END PGP SIGNATURE-----

Follow-Ups:
- Re: [tcpm] WG Last Call for ICMP Attacks
  - From: Smith, Donald

References:
- [tcpm] WG Last Call for ICMP Attacks
  - From: David Borman
- Re: [tcpm] WG Last Call for ICMP Attacks
  - From: Smith, Donald

Prev by Date: Re: [tcpm] WG Last Call for ICMP Attacks
Next by Date: Re: [tcpm] WG Last Call for ICMP Attacks
Previous by thread: Re: [tcpm] WG Last Call for ICMP Attacks
Next by thread: Re: [tcpm] WG Last Call for ICMP Attacks
Index(es):
- Date
- Thread

Re: [tcpm] WG Last Call for ICMP Attacks

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.