Re: [tcpm] WG Last Call for ICMP Attacks

[Fernando Gont <fernando at gont.com.ar>]

Hello, Donald,

Thanks so much for your feedback! Comments inline.... (I have removed
those comments that I will apply and didn't need further clarification...)


Smith, Donald wrote:
> 1. ICMP [RFC0792] is a fundamental part of the TCP/IP protocol suite,
>  and is used mainly for reporting network error conditions.
> 
> ICMP is part of the IP protocol suite.

The protocol suite is referred to as "TCP/IP"...



> 2.2 Therefore, in the case of TCP, an attacker could send a forged
> ICMP message to the attacked system, and, as long as he is able to
> guess the four-tuple (i.e., Source IP Address, Source TCP port,
> Destination IP Address, and Destination TCP port) that identifies the
>  communication instance to be attacked, he will be able to use ICMP
> to perform a variety of attacks.
> 
> Forged usually implies that source ip address has been spoofed
> usually to come from some type of trusted host. Crafted is the term
[...]

I'll adopt the term/phrase you and Joe have converged to.



> 4.1 Many TCP implementations have incorporated a validation check so 
> makes TCP react only to those ICMP error messages elicited by 
> segments that were "in-flight" to the destination system.
> 
> Grammer and minor correction for elicited: Many TCP implementations
> have incorporated a validation check to make TCP react only to those
> ICMP error messages that appear to have been caused by segments that
> were "in-flight" to the destination system.

Does "elicited" sound bad? (english as a second language here, sorry)




> 5.2 Assuming that once a connection is established it is not usual
> for the transport protocol to change (or be reloaded), it should be
> unusual to get these error messages. Should be: Assuming that once a
> connection is established it is usual for the transport protocol to
> change (or be reloaded), it should be unusual to get these error 
> messages.
> 
> 
> ...(still 5.2)
> 
> ICMPv6 type 1 (Destination Unreachable), code 1 (communication with 
> destination administratively prohibited)
> 
> This error message indicates that the destination is unreachable 
> because of an administrative policy.  For connection-oriented 
> protocols such as TCP, one could expect to receive such an error as
> the result of a connection-establishment attempt.  Receiving such an
> error for a connection in any of the synchronized states would mean
> that the administrative policy changed during the life of the
> connection.  However, in the same way this error condition (which was
> not present when the conenction was established) appeared, it could
> get solved solved in the near term.
> 
> This actually does occur in some cases where bruteforce password
> attempts causes a tool such as fail2ban to block access. and
> connection not conenction.

Ok. Will add a note on this. If you have any proposed text, please let
me know.



> 7.1 The PMTUD mechanism for IPv4 uses the Don't Fragment (DF) bit in
> the IP header to dynamically discover the Path MTU.  The basic idea 
> behind the PMTUD mechanism is that a source system assumes that the 
> MTU of the path is that of the first hop, and sends all its datagrams
>  with the DF bit set.  If any of the datagrams is too large to be 
> forwarded without fragmentation by some intermediate router, the 
> router will discard the corresponding datagram, and will return an 
> ICMP "Destination Unreachable" (type 3) "fragmentation neeed and DF 
> set" (code 4) error message to the sending system.  This message will
>  report the MTU of the constricting hop, so that the sending system 
> can reduce the assumed Path-MTU accordingly.
> 
> Spelling and grammer: If any of the datagrams is too large -> If any
> of the datagrams are too large.

mmmm... aren't we meaning that "as long as *one* of them is too large"?



> As discussed in both [RFC1191] and [RFC1981], the Path-MTU Discovery 
> mechanism can be used to attack TCP.  An attacker could send a forged
>  ICMP "Destination Unreachable, fragmentation needed and DF set" 
> packet (or their ICMPv6 counterpart) to the sending system, 
> advertising a small Next-Hop MTU.  As a result, the attacked system 
> would reduce the size of the packets it sends for the corresponding 
> connection accordingly.
> 
> Again I would suggest crafted instead of forged.

Well, even with the discussion you provided about "forged" vs.
"crafted", the attacker does forge the IP/TCP packet contained in the
ICMP payload...

Thanks so much!

Kind regards,
-- 
Fernando Gont
e-mail: fernando at gont.com.ar || fgont at acm.org
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1