Presentation is loading. Please wait.

Presentation is loading. Please wait.

ICMP attacks against TCP draft-ietf-tcpm-icmp-attacks-01.txt Fernando Gont (UTN/FRH) 67 th IETF Meeting, San Diego, California, USA November 5-10, 2006.

Published bySophia Watson Modified over 8 years ago

Similar presentations

Presentation on theme: "ICMP attacks against TCP draft-ietf-tcpm-icmp-attacks-01.txt Fernando Gont (UTN/FRH) 67 th IETF Meeting, San Diego, California, USA November 5-10, 2006."— Presentation transcript:

1 ICMP attacks against TCP draft-ietf-tcpm-icmp-attacks-01.txt Fernando Gont (UTN/FRH) 67 th IETF Meeting, San Diego, California, USA November 5-10, 2006

2 Overview Document discusses a number of attacks that can be performed against TCP by means of ICMP. Namely: Spoof ICMP “hard errors” to reset TCP connections Spoof ICMP Source Quench to slow-down TCP connections Spoof ICMP “frag needed and DF set” to illegitimately reduce the assumed Path-MTU for a given connection. Well-known issues, but no documented counter-measures Deployment level: Nowadays virtually all implementations implement most of the counter-measures described in the draft. A number of the counter-measures had been widely deployed formore than ten years, in most popular implementations. Document was adopted as WG item at the 64 th IETF Meeting (Vancouver, BC, Canada), for the Informational path

3 Counter-measures (I) Check the TCP SEQ embedded in the ICMP payload This does not really address the reset attack (we’d be back in “in-window” attacks) However, it still requires more packets on the side of the attacker, and improves TCP’s robustness to spurious ICMP error messages Does not violate existing requirements ICMP hard errors -> soft errors (if the connection is in a synchronized state) This does not violate existing requirements (reaction to hard errors is stated as a SHOULD for all messages but one, which is stated ambiguosly as a SHOULD/MUST)

4 Counter-measures (II) Ignore ICMP Source Quench messages meant for TCP connections This does violate a MUST in RFC 1122 However, it is generally accepted that this requirement should be updated Honor ICMP “frag needed” only if there’s no progress on the connection Does not seem to violate any existing requirement In the case of IPsec-protected connections, it may be the only thing you can do If you think about it, it is in line with PLPMTUD: there must be a segment loss for the PMTUD to be reduced

5 Document path At IETF 64 (Vancouver, BC, Canada) the WG decided to adopt the document as a WG item, for the Informational path Since then, the question has been raised about whether that is the right path for the document. Among other things, we are addressing the TCP-based attacks as standards track, but the (simpler) ICMP-based ones as Informational the fixes have been widely implemented two of the fixes (reset attack, PMTUD attack) do not violate existing requirements the other one (ICMP Source Quench) does violate existing requirements. However, it is widely accepted

6 Moving forward Before continuing tweaking the document, we should decide which path we want to aim at, and how. A propsal on a way forward resulted from a long chat with the TCPM WG co-chairs

7 Proposal (I) Split the current document in: A std track document in tsvwg, discussing validation of ICMP error messages (TCP SEQ, reaction depending on connection- state, etc.) for all transport protocols. A BCP/std track PMTUD–specific document. Discuss it either at PMTUD WG, or TCPM WG, or TSV WG. Get feedback from the PMTUD WG folks. These two documents (in TSV WG) would address all transport protocols, with specific sections for each protocol. This is probably “the right thing”… BUT we would need to get everybody (TCP, SCTP, DCCP, etc.) to agree.

8 Proposal (II) Submit a general document at TSV WG, for the Informational path. This document would contain the rationale for the changes. Have a std track document at TCPM WG, which references the general doc in TSV WG Other transport protocols are free to follow the advice (or not) given in the general doc. If they do, they could reference the general doc to avoid rehashing the discussion of the issues, and just focus on the actual changes that should be made. Would probably take less time than Proposal (I). And it is certainly much better than Proposal (III).

9 Proposal (III) Stay at the Informational path Make the document more neutral, to “just document what many implementations are doing” This might save time As far as the specifications are concerned, ICMP-based connection-reset issues, etc., would remain open. We probably don’t want this

10 Moving Forward…. Any comments/questions? Hums?

Download ppt "ICMP attacks against TCP draft-ietf-tcpm-icmp-attacks-01.txt Fernando Gont (UTN/FRH) 67 th IETF Meeting, San Diego, California, USA November 5-10, 2006."

Similar presentations

73rd IETF meeting, November 16-21, 2008

73rd IETF meeting, November 16-21, 2008
Design Guidelines for IPv6 Networks draft-matthews-v6ops-design-guidelines-01 Philip Matthews Alcatel-Lucent.

Design Guidelines for IPv6 Networks draft-matthews-v6ops-design-guidelines-01 Philip Matthews Alcatel-Lucent.
Security Assessment of the Internet Protocol version 4 (IPv4) draft-ietf-opsec-ip-security Fernando Gont project carried out on behalf of UK CPNI 76th.

Security Assessment of the Internet Protocol version 4 (IPv4) draft-ietf-opsec-ip-security Fernando Gont project carried out on behalf of UK CPNI 76th.
On the implementation of TCP urgent data (draft-gont-tcpm-urgent-data) Fernando Gont & A. Yourtchenko 73rd IETF meeting, November 16-21, 2008 Minneapolis,

On the implementation of TCP urgent data (draft-gont-tcpm-urgent-data) Fernando Gont & A. Yourtchenko 73rd IETF meeting, November 16-21, 2008 Minneapolis,
Mitigating Teredo Routing Loop Attacks (draft-gont-6man-teredo-loops-00 ) Fernando Gont on behalf of UK CPNI IETF 79 November 7-12, 2010. Beijing, China.

Mitigating Teredo Routing Loop Attacks (draft-gont-6man-teredo-loops-00 ) Fernando Gont on behalf of UK CPNI IETF 79 November 7-12, Beijing, China.
Security implications of Network Address Translators (NATs) (draft-gont-behave-nat-security) Fernando Gont Pyda Srisuresh UTN/FRH EMC Corporation 76th.

Security implications of Network Address Translators (NATs) (draft-gont-behave-nat-security) Fernando Gont Pyda Srisuresh UTN/FRH EMC Corporation 76th.
Port randomization (draft-ietf-tsvwg-port-randomization) Michael Larsen & Fernando Gont 73rd IETF Meeting, November 16-21, 2008 Minneapolis, MN, USA.

Port randomization (draft-ietf-tsvwg-port-randomization) Michael Larsen & Fernando Gont 73rd IETF Meeting, November 16-21, 2008 Minneapolis, MN, USA.
MPLS-TP OAM Analysis draft-ietf-mpls-tp-oam-analysis-00.txt

MPLS-TP OAM Analysis draft-ietf-mpls-tp-oam-analysis-00.txt
Slide #1IETF 77 – Roll WG – March 2010 ROLL RPL IETF 77 status draft-ietf-roll-rpl Tim Winter Pascal Thubert Design Team.

Slide #1IETF 77 – Roll WG – March 2010 ROLL RPL IETF 77 status draft-ietf-roll-rpl Tim Winter Pascal Thubert Design Team.
Draft-loughney-what-standards-01.txt IETF 59 NEWTRK WG Presented by Spencer Dawkins.

Draft-loughney-what-standards-01.txt IETF 59 NEWTRK WG Presented by Spencer Dawkins.
March 7, 2005MOBIKE WG, IETF 621 Mobility Protocol Options for IKEv2 (MOPO-IKE) Pasi Eronen.

March 7, 2005MOBIKE WG, IETF 621 Mobility Protocol Options for IKEv2 (MOPO-IKE) Pasi Eronen.
WG RAQMON Internet-Drafts RMON MIB WG Meeting Washington, Nov. 11, 2004.

WG RAQMON Internet-Drafts RMON MIB WG Meeting Washington, Nov. 11, 2004.
Security Assessment of the Transmission Control Protocol (TCP) (draft-ietf-tcpm-tcp-security-02.txt) Fernando Gont project carried out on behalf of UK.

Security Assessment of the Transmission Control Protocol (TCP) (draft-ietf-tcpm-tcp-security-02.txt) Fernando Gont project carried out on behalf of UK.
03/07/2005IETF 62, Minneapolis NAT requirements for TCP (BEHAVE WG) draft-sivakumar-behave-nat-tcp-req-00.txt S.Sivakumar, K.Biswas, B.Ford.

03/07/2005IETF 62, Minneapolis NAT requirements for TCP (BEHAVE WG) draft-sivakumar-behave-nat-tcp-req-00.txt S.Sivakumar, K.Biswas, B.Ford.
Authentication Mechanism for Port Control Protocol (PCP) draft-wasserman-pcp-authentication-01.txt Margaret Wasserman Sam Hartman Painless Security Dacheng.

Authentication Mechanism for Port Control Protocol (PCP) draft-wasserman-pcp-authentication-01.txt Margaret Wasserman Sam Hartman Painless Security Dacheng.
RADIUS Crypto-Agility Requirements November 18, 2008 David B. Nelson IETF 73 Minneapolis.

RADIUS Crypto-Agility Requirements November 18, 2008 David B. Nelson IETF 73 Minneapolis.
Byte and Packet Congestion Notification draft-briscoe-tsvwg-byte-pkt-mark-00.txt draft-briscoe-tsvwg-byte-pkt-mark-00.txt Bob Briscoe, BT & UCL IETF-69.

Byte and Packet Congestion Notification draft-briscoe-tsvwg-byte-pkt-mark-00.txt draft-briscoe-tsvwg-byte-pkt-mark-00.txt Bob Briscoe, BT & UCL IETF-69.
1 Debugging Path MTU Discovery Failures - Techniques and Results Internet2 Member Meeting September 21, 2005 Matthew Luckie, Kenjiro Cho, Bill Owens.

1 Debugging Path MTU Discovery Failures - Techniques and Results Internet2 Member Meeting September 21, 2005 Matthew Luckie, Kenjiro Cho, Bill Owens.
Dime WG Status Update IETF#80, 1-April-2011. Agenda overview Agenda bashing WG status update Active drafts Recently expired IESG processing Current milestones.

Dime WG Status Update IETF#80, 1-April Agenda overview Agenda bashing WG status update Active drafts Recently expired IESG processing Current milestones.
STIR Problem Statement IETF 88 (Vancouver) Tuesday Session Jon Peterson.

STIR Problem Statement IETF 88 (Vancouver) Tuesday Session Jon Peterson.

Similar presentations

Ads by Google