Re: [tcpm] WG Last Call for ICMP Attacks

To: "Joe Touch" <touch at ISI.EDU>, "Carlos Pignataro (cpignata)" <cpignata at cisco.com>
Subject: Re: [tcpm] WG Last Call for ICMP Attacks
From: "Anantha Ramaiah (ananth)" <ananth at cisco.com>
Date: Wed, 9 Sep 2009 08:57:09 -0700
Authentication-results: sj-dkim-1; header.From=ananth at cisco.com; dkim=pass ( sig from cisco.com/sjdkim1004 verified; );
Cc: "Smith, Donald" <Donald.Smith at qwest.com>, tcpm Extensions WG <tcpm at ietf.org>, David Borman <david.borman at windriver.com>, Fernando Gont <fernando at gont.com.ar>
Delivered-to: tcpm at core3.amsl.com
Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; l=4539; t=1252511830; x=1253375830; c=relaxed/simple; s=sjdkim1004; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=ananth at cisco.com; z=From:=20=22Anantha=20Ramaiah=20(ananth)=22=20<ananth at cisco .com> |Subject:=20RE=3A=20[tcpm]=20WG=20Last=20Call=20for=20ICMP= 20Attacks |Sender:=20; bh=dqCoJ8dFtaFlVXmEY3b+U8isSVrGlz31lw4P5oViayQ=; b=sCUSJQaHcy0krG6sdxPoqi2unfebYe0G12faE9CWS/2Oqwgmfpth0K2A8Z PVZks7/c6lBDV8MzbXoKtLQimRBhG+AVwmEDy7D+YNiG45qye/K913xO+iyt NB9ZmDvx0YtqhhUZ0tj9Lbj4NMQMxtQNeFIJojQke4kuNWzEXFn5o=;
In-reply-to: <4AA7C7DD.1000504 at isi.edu>
List-archive: <http://www.ietf.org/mail-archive/web/tcpm>
List-help: <mailto:tcpm-request@ietf.org?subject=help>
List-id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-post: <mailto:tcpm@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
References: <F1534040-EA0D-44E4-98F7-67C24CD12CCF at windriver.com> <B01905DA0C7CDC478F42870679DF0F1005B64E383D at qtdenexmbm24.AD.QINTRA.COM> <4A9F4AB1.6070605 at gont.com.ar> <4AA6E2CC.2000905 at isi.edu> <4AA73910.7080002 at gont.com.ar><4AA74639.4000500 at isi.edu> <4AA7B738.10400 at cisco.com><4AA7B930.10300 at isi.edu> <4AA7BFE4.5050209 at cisco.com><4AA7C32B.3020606 at isi.edu> <4AA7C5CF.10400 at cisco.com> <4AA7C7DD.1000504 at isi.edu>
Thread-index: AcoxYTxr8TsqCXHrQnqry7pveb+GcQAAWSnw
Thread-topic: [tcpm] WG Last Call for ICMP Attacks

Jumping in to this thread since I had mentioned it many times earlier
that delayed ICMP's causing issues for seq # check is impractical today.
On the client side validation we can have the following scenarios :-

#1 - ICMP comes in and doesn't match the current segments (or in some
implementations packets) sitting in the retransmission queue, thus the
ICMP is silently dropped. No harm.
#2 - ICMP arrives and it matches the sequence #, this is the usual case.
No harm if false positives are handled correctly.

The cause for concern is the case where the ICMP packet gets delayed for
a long time and the sequence number has wrapped around and the seq # no.
exactly falls in the window of packets sitting in the retransmit queue.
This cam happen only when the data is sent at a very fast rate and such
cases extra checks are necessary. OTOH, if the ICMP packet seq#  falls
outiside (> SNDNXT) in such cases this is for something not yet sent,
discard it. No harm

IMO, this is not an issue at all, these false positives can be handled
with appropriate checks in the code.

Joe has brought this up multiple # of times and I don't really see this
as an issue. The merits of this seq# check far outweigh the de-merits,
if any. If you have extendeded ICMP support then we could check more to
get even more robustness. (example if timestmaps are available one could
make use of it) We have been using the seq# check in our boxes for quite
some time (Fernando's draft mentions many other popular OS'es using this
method) So, far they have been no issues in the field. 

My proposal would be to add some text to what Joe is concerned about,
highlight the fact that it is mostly theoritical and hence should not be
a concern. If needed some quantification can be done, but I really don't
see the point. 

Just my few bits...

-Anantha

> -----Original Message-----
> From: tcpm-bounces at ietf.org [mailto:tcpm-bounces at ietf.org] On 
> Behalf Of Joe Touch
> Sent: Wednesday, September 09, 2009 8:21 AM
> To: Carlos Pignataro (cpignata)
> Cc: Smith, Donald; 'tcpm Extensions WG'; 'David Borman'; Fernando Gont
> Subject: Re: [tcpm] WG Last Call for ICMP Attacks
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> 
> 
> Carlos Pignataro wrote:
> ...
> >> It's OK to qualify it with "this is unlikely", but IMO it 
> needs to be 
> >> discussed with more than a single word in a single paragraph.
> > 
> > I think that "this is unlikely" or "this is highly unlikely" would 
> > still be understating the probability (I am curious to see any 
> > experienced example of ICMP being delayed minutes). Redundancy 
> > architectures of routers typically cover the planned 
> upgrade (or even 
> > unexpected reload) scenarios you presented.
> > 
> > Perhaps a separate sentence in that paragraph before the 
> "Thus, " with 
> > some variation of "rate-limiting can delay ICMPs, and some other 
> > highly unlikely theoretical scenarios can compound the delay"?
> 
> You can't rely on something that isn't required. The fact 
> that current implementations, in current operation, don't do 
> this isn't relevant.
> 
> Consider the proposal to resend 'the last packets seen' after 
> a link outage, to 'tickle' TCP into waking up. That proposal 
> was considered inappropriate because the router would hold 
> the packet too long to satisfy requirements. However, if 
> someone were to propose to hold ICMPs and issue them later, 
> that would be *compliant*.
> 
> Protocols aren't just about what happens to work today; 
> they're about what you can expect to work tomorrow too. 
> Anything that examines the contents of an ICMP needs to 
> appreciate that those contents do NOT have to obey timeliness 
> requirements - notably of the protocol being conveyed as 
> payload. You need to explain what happens when your 
> assumptions are wrong not because they're often wrong today, 
> but because you cannot know whether they'll be wrong tomorrow.
> 
> Joe
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
> 
> iEYEARECAAYFAkqnx90ACgkQE5f5cImnZrvguwCgrm7/fLMiKak8gGb0QYQsROeK
> 5bcAn0fxfPIznaScGG9Tx0oq0OjCHk8x
> =xegI
> -----END PGP SIGNATURE-----
> _______________________________________________
> tcpm mailing list
> tcpm at ietf.org
> https://www.ietf.org/mailman/listinfo/tcpm
>

Follow-Ups:
- Re: [tcpm] WG Last Call for ICMP Attacks
  - From: Joe Touch

References:
- [tcpm] WG Last Call for ICMP Attacks
  - From: David Borman
- Re: [tcpm] WG Last Call for ICMP Attacks
  - From: Smith, Donald
- Re: [tcpm] WG Last Call for ICMP Attacks
  - From: Fernando Gont
- Re: [tcpm] WG Last Call for ICMP Attacks
  - From: Joe Touch
- Re: [tcpm] WG Last Call for ICMP Attacks
  - From: Fernando Gont
- Re: [tcpm] WG Last Call for ICMP Attacks
  - From: Joe Touch
- Re: [tcpm] WG Last Call for ICMP Attacks
  - From: Carlos Pignataro
- Re: [tcpm] WG Last Call for ICMP Attacks
  - From: Joe Touch
- Re: [tcpm] WG Last Call for ICMP Attacks
  - From: Carlos Pignataro
- Re: [tcpm] WG Last Call for ICMP Attacks
  - From: Joe Touch
- Re: [tcpm] WG Last Call for ICMP Attacks
  - From: Carlos Pignataro
- Re: [tcpm] WG Last Call for ICMP Attacks
  - From: Joe Touch

Prev by Date: Re: [tcpm] WG Last Call for ICMP Attacks
Next by Date: Re: [tcpm] WG Last Call for ICMP Attacks
Previous by thread: Re: [tcpm] WG Last Call for ICMP Attacks
Next by thread: Re: [tcpm] WG Last Call for ICMP Attacks
Index(es):
- Date
- Thread

Re: [tcpm] WG Last Call for ICMP Attacks

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.