Re: [tcpm] WG Last Call for ICMP Attacks

To: Joe Touch <touch at ISI.EDU>
Subject: Re: [tcpm] WG Last Call for ICMP Attacks
From: Fernando Gont <fernando at gont.com.ar>
Date: Wed, 09 Sep 2009 02:11:44 -0300
Cc: "Smith, Donald" <Donald.Smith at qwest.com>, 'tcpm Extensions WG' <tcpm at ietf.org>, 'David Borman' <david.borman at windriver.com>
Delivered-to: tcpm at core3.amsl.com
In-reply-to: <4AA6E2CC.2000905 at isi.edu>
List-archive: <http://www.ietf.org/mail-archive/web/tcpm>
List-help: <mailto:tcpm-request@ietf.org?subject=help>
List-id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-post: <mailto:tcpm@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
Openpgp: id=D076FFF1
References: <F1534040-EA0D-44E4-98F7-67C24CD12CCF at windriver.com> <B01905DA0C7CDC478F42870679DF0F1005B64E383D at qtdenexmbm24.AD.QINTRA.COM> <4A9F4AB1.6070605 at gont.com.ar> <4AA6E2CC.2000905 at isi.edu>
User-agent: Thunderbird 2.0.0.23 (Windows/20090812)

Hello, Joe,

Thanks for your feedback! Comments in-line....

> - --
> 2.1 indicates reasons why ICMPs are not reliable; it should include
> reasons why ICMPs could be late - so late that, e.g., sequence numbers
> aren't relevant.
> - --

Could you clarify what you have in mind, specificaly? ICMP error
messages being assigned lower priority than normal traffic, or what?
FWIW, routers typically rate-limit ICMP errors...



> In Sec 4.1:
>    It should be note that as there are no timeliness for ICMP error
>    messages, the TCP Sequence Number check described in this section
>    might cause legitimate ICMP error messages to be discarded
> 
> This should also note that it is also possible to end up acting on ICMPs
> that are old even when such checks are in place, depending on the
> lateness of the ICMP and the width of the valid sequence number window.

I have no problem with this. However, the doc tries to address
deliberate attacks rather than ligitimate old packets. That said, if you
still feel this should be addressed in the document, please let me know
and I will incorporate text about this..



> - --
> top Page 13, space is missing:
>    synchronized states (ESTABLISHED, FIN-WAIT-1, FIN-WAIT-2, CLOSE-WAIT,
>    CLOSING, LAST-ACK or TIME-WAIT)as "soft errors".  That is, they do

Thanks!


                                  ^
> - --
> Section 8 would benefit from a summary of the different techniques used
> (e.g., parameter checking to drop ICMPs, state checking to drop ICMPs,
> etc.) and a description of how each basic technique affects the system -
> i.e., they (in general) make the system more robust to deliberate
> attacks, but could make the system react less rapidly to legitimate
> network errors. This is a deliberate trade-off, and perhaps a reasonable
> one, but worth noting, IMO.

Will do.

Thanks again!

Kind regards,
-- 
Fernando Gont
e-mail: fernando at gont.com.ar || fgont at acm.org
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1

Follow-Ups:
- Re: [tcpm] WG Last Call for ICMP Attacks
  - From: Joe Touch
- Re: [tcpm] WG Last Call for ICMP Attacks
  - From: Lars Eggert

References:
- [tcpm] WG Last Call for ICMP Attacks
  - From: David Borman
- Re: [tcpm] WG Last Call for ICMP Attacks
  - From: Smith, Donald
- Re: [tcpm] WG Last Call for ICMP Attacks
  - From: Fernando Gont
- Re: [tcpm] WG Last Call for ICMP Attacks
  - From: Joe Touch

Prev by Date: Re: [tcpm] WG Last Call for ICMP Attacks
Next by Date: Re: [tcpm] tcp-security: Request for feedback on the outline of the document
Previous by thread: Re: [tcpm] WG Last Call for ICMP Attacks
Next by thread: Re: [tcpm] WG Last Call for ICMP Attacks
Index(es):
- Date
- Thread

Re: [tcpm] WG Last Call for ICMP Attacks

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.