Re: [tcpm] WG Last Call for ICMP Attacks

To: "Anantha Ramaiah (ananth)" <ananth at cisco.com>
Subject: Re: [tcpm] WG Last Call for ICMP Attacks
From: Joe Touch <touch at ISI.EDU>
Date: Wed, 09 Sep 2009 09:04:07 -0700
Cc: "Smith, Donald" <Donald.Smith at qwest.com>, "Carlos Pignataro \(cpignata\)" <cpignata at cisco.com>, tcpm Extensions WG <tcpm at ietf.org>, David Borman <david.borman at windriver.com>, Fernando Gont <fernando at gont.com.ar>
Delivered-to: tcpm at core3.amsl.com
In-reply-to: <0C53DCFB700D144284A584F54711EC5807F84E7A at xmb-sjc-21c.amer.cisco.com>
List-archive: <http://www.ietf.org/mail-archive/web/tcpm>
List-help: <mailto:tcpm-request@ietf.org?subject=help>
List-id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-post: <mailto:tcpm@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
References: <F1534040-EA0D-44E4-98F7-67C24CD12CCF at windriver.com> <B01905DA0C7CDC478F42870679DF0F1005B64E383D at qtdenexmbm24.AD.QINTRA.COM> <4A9F4AB1.6070605 at gont.com.ar> <4AA6E2CC.2000905 at isi.edu> <4AA73910.7080002 at gont.com.ar><4AA74639.4000500 at isi.edu> <4AA7B738.10400 at cisco.com><4AA7B930.10300 at isi.edu> <4AA7BFE4.5050209 at cisco.com><4AA7C32B.3020606 at isi.edu> <4AA7C5CF.10400 at cisco.com> <4AA7C7DD.1000504 at isi.edu> <0C53DCFB700D144284A584F54711EC5807F84E7A at xmb-sjc-21c.amer.cisco.com>
User-agent: Thunderbird 2.0.0.23 (Windows/20090812)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi, Anantha,

Anantha Ramaiah (ananth) wrote:
> Jumping in to this thread since I had mentioned it many times earlier
> that delayed ICMP's causing issues for seq # check is impractical today.
> On the client side validation we can have the following scenarios :-
> 
> #1 - ICMP comes in and doesn't match the current segments (or in some
> implementations packets) sitting in the retransmission queue, thus the
> ICMP is silently dropped. No harm.
> #2 - ICMP arrives and it matches the sequence #, this is the usual case.
> No harm if false positives are handled correctly.
> 
> 
> The cause for concern is the case where the ICMP packet gets delayed for
> a long time and the sequence number has wrapped around and the seq # no.
> exactly falls in the window of packets sitting in the retransmit queue.
> This cam happen only when the data is sent at a very fast rate and such
> cases extra checks are necessary. OTOH, if the ICMP packet seq#  falls
> outiside (> SNDNXT) in such cases this is for something not yet sent,
> discard it. No harm
> 
> IMO, this is not an issue at all, these false positives can be handled
> with appropriate checks in the code.

Please just put this in the doc. This issue comes up. It may not affect
this solution, but it is important to include it - to say that it isn't
an impact. I have asked for similar language in the long-delays doc, but
I'm not sure what the impact there is.

...
> My proposal would be to add some text to what Joe is concerned about,
> highlight the fact that it is mostly theoritical and hence should not be
> a concern. If needed some quantification can be done, but I really don't
> see the point. 

No quantification. A version of what's above is what I'm seeking, though
if we're considering everything we never see in the wild theoretical, we
can gut a lot of complexity out of TCP. IMO, this isn't theoretical -
it's *compliant*, and you can make the case that you do no harm when it
happens. That's the point, and that's what needs to be in the doc, IMO.

Joe
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkqn0fcACgkQE5f5cImnZruF0QCg8YKWBuLtDuwNTiTxYjRtgK0X
KJQAoJV+FzgzeQ7ZwxfaoBgkkET7TIBh
=pyWu
-----END PGP SIGNATURE-----

References:
- [tcpm] WG Last Call for ICMP Attacks
  - From: David Borman
- Re: [tcpm] WG Last Call for ICMP Attacks
  - From: Smith, Donald
- Re: [tcpm] WG Last Call for ICMP Attacks
  - From: Fernando Gont
- Re: [tcpm] WG Last Call for ICMP Attacks
  - From: Joe Touch
- Re: [tcpm] WG Last Call for ICMP Attacks
  - From: Fernando Gont
- Re: [tcpm] WG Last Call for ICMP Attacks
  - From: Joe Touch
- Re: [tcpm] WG Last Call for ICMP Attacks
  - From: Carlos Pignataro
- Re: [tcpm] WG Last Call for ICMP Attacks
  - From: Joe Touch
- Re: [tcpm] WG Last Call for ICMP Attacks
  - From: Carlos Pignataro
- Re: [tcpm] WG Last Call for ICMP Attacks
  - From: Joe Touch
- Re: [tcpm] WG Last Call for ICMP Attacks
  - From: Carlos Pignataro
- Re: [tcpm] WG Last Call for ICMP Attacks
  - From: Joe Touch
- Re: [tcpm] WG Last Call for ICMP Attacks
  - From: Anantha Ramaiah (ananth)

Prev by Date: Re: [tcpm] WG Last Call for ICMP Attacks
Next by Date: Re: [tcpm] WG Last Call for ICMP Attacks
Previous by thread: Re: [tcpm] WG Last Call for ICMP Attacks
Next by thread: Re: [tcpm] WG Last Call for ICMP Attacks
Index(es):
- Date
- Thread

Re: [tcpm] WG Last Call for ICMP Attacks

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.