Re: [tcpm] WG Last Call for ICMP Attacks

To: "Smith, Donald" <Donald.Smith at qwest.com>
Subject: Re: [tcpm] WG Last Call for ICMP Attacks
From: Joe Touch <touch at ISI.EDU>
Date: Wed, 02 Sep 2009 16:05:09 -0700
Cc: 'tcpm Extensions WG' <tcpm at ietf.org>, 'David Borman' <david.borman at windriver.com>
Delivered-to: tcpm at core3.amsl.com
In-reply-to: <B01905DA0C7CDC478F42870679DF0F1005B64E385A at qtdenexmbm24.AD.QINTRA.COM>
List-archive: <http://www.ietf.org/mail-archive/web/tcpm>
List-help: <mailto:tcpm-request@ietf.org?subject=help>
List-id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-post: <mailto:tcpm@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
References: <F1534040-EA0D-44E4-98F7-67C24CD12CCF at windriver.com> <B01905DA0C7CDC478F42870679DF0F1005B64E383D at qtdenexmbm24.AD.QINTRA.COM> <4A9EDEDD.2030308 at isi.edu> <B01905DA0C7CDC478F42870679DF0F1005B64E385A at qtdenexmbm24.AD.QINTRA.COM>
User-agent: Thunderbird 2.0.0.23 (Windows/20090812)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



Smith, Donald wrote:
...
> "ICMP packet with falsified content" would be a good description.

Sounds better to me.

Joe

>> -----Original Message-----
>> From: Joe Touch [mailto:touch at ISI.EDU] 
>> Sent: Wednesday, September 02, 2009 3:09 PM
>> To: Smith, Donald
>> Cc: 'David Borman'; 'tcpm Extensions WG'
>> Subject: Re: [tcpm] WG Last Call for ICMP Attacks
>>
> 
> 
> Smith, Donald wrote:
>>>> 1.
>>>> ICMP [RFC0792] is a fundamental part of the TCP/IP protocol suite,
>>>>    and is used mainly for reporting network error conditions.
>>>>
>>>> ICMP is part of the IP protocol suite.
>>>>
>>>> 2.2
>>>> Therefore, in the case of TCP, an attacker could send a forged ICMP
>>>>    message to the attacked system, and, as long as he is 
> able to guess
>>>>    the four-tuple (i.e., Source IP Address, Source TCP 
> port, Destination
>>>>    IP Address, and Destination TCP port) that identifies the
>>>>    communication instance to be attacked, he will be able 
> to use ICMP to
>>>>    perform a variety of attacks.
>>>>
>>>> Forged usually implies that source ip address has been 
> spoofed usually to come from some type of trusted host.
>>>> Crafted is the term generally used to mean the packets 
> contents (not header) were modified.
>>>> In this case there is no need to spoof the source ip 
> address as the end host has no knowledge about the routers in 
> between them and the end host system. So I recommend you 
> change forged to crafted.
> 
> I've not heard that there was such clarity on the term forged or
> crafted, but neither is the case here.
> 
> The attacker emits an ICMP message. It doesn't need a 
> falsified header.
> It doesn't need to be a "modified" packet. E.g., it can be 
> created based
> on information seen on the media.
> 
> It might just be called a "false ICMP message", i.e., it's 
> reporting an
> event that didn't happen.
> 
> Joe
>>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkqe+iUACgkQE5f5cImnZrs8RQCfVKb2M78n3eZfy32Fy3gpq6Jv
V5sAoOu3p+aLhut9Nsx0I6t4BWbDUJbD
=xri6
-----END PGP SIGNATURE-----

References:
- [tcpm] WG Last Call for ICMP Attacks
  - From: David Borman
- Re: [tcpm] WG Last Call for ICMP Attacks
  - From: Smith, Donald
- Re: [tcpm] WG Last Call for ICMP Attacks
  - From: Joe Touch
- Re: [tcpm] WG Last Call for ICMP Attacks
  - From: Smith, Donald

Prev by Date: Re: [tcpm] WG Last Call for ICMP Attacks
Next by Date: Re: [tcpm] WG Last Call for ICMP Attacks
Previous by thread: Re: [tcpm] WG Last Call for ICMP Attacks
Next by thread: Re: [tcpm] WG Last Call for ICMP Attacks
Index(es):
- Date
- Thread

Re: [tcpm] WG Last Call for ICMP Attacks

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.