ICMP attacks against TCP draft-ietf-tcpm-icmp-attacks-01.txt Fernando Gont (UTN/FRH) 67 th IETF Meeting, San Diego, California, USA November 5-10, 2006.

Slides:



Advertisements
Similar presentations
73rd IETF meeting, November 16-21, 2008
Advertisements

Design Guidelines for IPv6 Networks draft-matthews-v6ops-design-guidelines-01 Philip Matthews Alcatel-Lucent.
Security Assessment of the Internet Protocol version 4 (IPv4) draft-ietf-opsec-ip-security Fernando Gont project carried out on behalf of UK CPNI 76th.
On the implementation of TCP urgent data (draft-gont-tcpm-urgent-data) Fernando Gont & A. Yourtchenko 73rd IETF meeting, November 16-21, 2008 Minneapolis,
Mitigating Teredo Routing Loop Attacks (draft-gont-6man-teredo-loops-00 ) Fernando Gont on behalf of UK CPNI IETF 79 November 7-12, Beijing, China.
Security implications of Network Address Translators (NATs) (draft-gont-behave-nat-security) Fernando Gont Pyda Srisuresh UTN/FRH EMC Corporation 76th.
Port randomization (draft-ietf-tsvwg-port-randomization) Michael Larsen & Fernando Gont 73rd IETF Meeting, November 16-21, 2008 Minneapolis, MN, USA.
MPLS-TP OAM Analysis draft-ietf-mpls-tp-oam-analysis-00.txt
Slide #1IETF 77 – Roll WG – March 2010 ROLL RPL IETF 77 status draft-ietf-roll-rpl Tim Winter Pascal Thubert Design Team.
Draft-loughney-what-standards-01.txt IETF 59 NEWTRK WG Presented by Spencer Dawkins.
March 7, 2005MOBIKE WG, IETF 621 Mobility Protocol Options for IKEv2 (MOPO-IKE) Pasi Eronen.
WG RAQMON Internet-Drafts RMON MIB WG Meeting Washington, Nov. 11, 2004.
Security Assessment of the Transmission Control Protocol (TCP) (draft-ietf-tcpm-tcp-security-02.txt) Fernando Gont project carried out on behalf of UK.
03/07/2005IETF 62, Minneapolis NAT requirements for TCP (BEHAVE WG) draft-sivakumar-behave-nat-tcp-req-00.txt S.Sivakumar, K.Biswas, B.Ford.
Authentication Mechanism for Port Control Protocol (PCP) draft-wasserman-pcp-authentication-01.txt Margaret Wasserman Sam Hartman Painless Security Dacheng.
RADIUS Crypto-Agility Requirements November 18, 2008 David B. Nelson IETF 73 Minneapolis.
Byte and Packet Congestion Notification draft-briscoe-tsvwg-byte-pkt-mark-00.txt draft-briscoe-tsvwg-byte-pkt-mark-00.txt Bob Briscoe, BT & UCL IETF-69.
1 Debugging Path MTU Discovery Failures - Techniques and Results Internet2 Member Meeting September 21, 2005 Matthew Luckie, Kenjiro Cho, Bill Owens.
Dime WG Status Update IETF#80, 1-April Agenda overview Agenda bashing WG status update Active drafts Recently expired IESG processing Current milestones.
STIR Problem Statement IETF 88 (Vancouver) Tuesday Session Jon Peterson.
Byte and Packet Congestion Notification draft-ietf-tsvwg-byte-pkt-congest-00.txt draft-ietf-tsvwg-byte-pkt-congest-00.txt Bob Briscoe, BT & UCL IETF-73.
BFD Working Group Document Status – IETF 78 Jeffrey Haas, Dave Ward,
Peering: A Minimalist Approach Rohan Mahy IETF 66 — Speermint WG.
Guidance for Running Multiple IPv6 Prefixes (draft-liu-v6ops-running-multiple-prefixes-02) Bing Liu, Sheng Jiang (Speaker), Yang Bo IETF91
1 TCP Maintenance and Minor Extensions (TCPM) Working Group Pasi Sarolahti Michael Scharf Yoshifumi Nishida IETF 90 – Toronto, Canada July 2014.
1 Requirements for Internet Routers (Gateways) and Hosts Relates to Lab 3. (Supplement) Covers the compliance requirements of Internet routers and hosts.
Security Threats and Security Requirements for the Access Node Control Protocol (ANCP) IETF 68 - ANCP WG March 18-23, 2007 draft-ietf-ancp-security-threats-00.txt.
Richard Scheffenegger (Editor) David Borman Bob Braden Van Jacobson RFC1323bis – TCP Extensions for High Performance 1 84 th IETF, Vancouver, Canada.
Requirements and Selection Process for RADIUS Crypto-Agility December 5, 2007 David B. Nelson IETF 70 Vancouver, BC.
Byte and Packet Congestion Notification draft-briscoe-tsvwg-byte-pkt-mark-02.txt draft-briscoe-tsvwg-byte-pkt-mark-02.txt Bob Briscoe, BT & UCL IETF-71.
SCTP as a transport for Diameter draft-pascual-dime-sctp-00 IETF 79 - DIME WG November 2010,
Draft-melia-mipshop-mobility-services-ps-01.txt. From IETF #66 Discuss MIH PS (as expressed by the WG chair) Need a single PS at WG level (several drafts.
1 IPFIX Default Transport IPFIX IETF-58 November 10, 2003 Stewart Bryant Benoit Claise.
TFRC for Voice: the VoIP Variant Sally Floyd, Eddie Kohler. November 2006 draft-ietf-dccp-tfrc-voip-06.txt DCCP Working Group, IETF Slides:
Uni Innsbruck Informatik th IETF, PMTUD WG: Path MTU Discovery Using Options draft-welzl-pmtud-options-01.txt Michael Welzl
Draft-ietf-pim-port-03 wglc. WGLC responses Thomas suggested a long list of changes, mostly editorial –I believe I addressed all Dimitri also had comments.
IPFIX Requirements: Document Changes and New Issues Raised Jürgen Quittek, NEC Benoit Claise, Cisco Tanja Zseby, Sebstian Zander, FhG FOKUS.
64th IETF Vancouver November 2005 ASON-Compatible Signaling.
1 PSAMP WGIETF, November 2003PSAMP WG PSAMP Framework Document draft-ietf-psamp-framework-04.txt Duffield, Greenberg, Grossglauser, Rexford: AT&T Chiou:
Extension of the MLD proxy functionality to support multiple upstream interfaces 1 Luis M. Contreras Telefónica I+D Carlos J. Bernardos Universidad Carlos.
Security Implications of Predictable Fragment Identification Values
A Fragmentation Strategy for Generic Routing Encapsulation (GRE)
draft-briscoe-tsvwg-l4s-arch-00 B. Briscoe, K. De Schepper, M. Bagnulo
Security Implications of IPv6 on IPv4 Networks
IP Flow Information eXport (IPFIX)
GRE-in-UDP Encapsulation
draft-khademi-tsvwg-ecn-response-00
TCP Maintenance and Minor Extensions (TCPM) Working Group Status
TCP and SCTP RTO Restart draft-ietf-tcpm-rtorestart-01 TCPM WG IETF-88
Current Issues with DNS Configuration Options for SLAAC
Bob Briscoe Simula Research Laboratory
76th IETF meeting, November 8-13, 2009
Extending Option Space Discussion Overview and its requirements
IKEv2 Mobility and Multihoming Protocol (MOBIKE)
DHCPv6-Shield: Protecting Against Rogue DHCPv6 Servers
ND-Shield: Protecting against Neighbor Discovery Attacks
RADEXT WG RADIUS Attribute Guidelines draft-weber-radius-attr-guidelines-01.txt Greg Weber November 8th, 2005 v1 IETF-64, Vancouver.
Fragmentation issues in IPv4/IPv6 translation
TCP for DNS security considerations
IEEE MEDIA INDEPENDENT HANDOVER DCN:
November 7-12, Beijing,China.
Migration-Issues-xx Where it’s been and might be going
Carles Gomez, S. M. Darroudi
ECN Experimentation draft-black-ecn-experimentation
Multihoming: the SCTP perspective
Sally Floyd and Eddie Kohler draft-floyd-ccid4-01.txt July 2007
A Minimal Set of Transport Services for TAPS Systems draft-ietf-taps-minset-02 Michael Welzl, Stein Gjessing IETF
RFC 793bis Wes Eddy
James Polk Gorry Fairhurst
Presentation transcript:

ICMP attacks against TCP draft-ietf-tcpm-icmp-attacks-01.txt Fernando Gont (UTN/FRH) 67 th IETF Meeting, San Diego, California, USA November 5-10, 2006

Overview Document discusses a number of attacks that can be performed against TCP by means of ICMP. Namely: Spoof ICMP “hard errors” to reset TCP connections Spoof ICMP Source Quench to slow-down TCP connections Spoof ICMP “frag needed and DF set” to illegitimately reduce the assumed Path-MTU for a given connection. Well-known issues, but no documented counter-measures Deployment level: Nowadays virtually all implementations implement most of the counter-measures described in the draft. A number of the counter-measures had been widely deployed formore than ten years, in most popular implementations. Document was adopted as WG item at the 64 th IETF Meeting (Vancouver, BC, Canada), for the Informational path

Counter-measures (I) Check the TCP SEQ embedded in the ICMP payload This does not really address the reset attack (we’d be back in “in-window” attacks) However, it still requires more packets on the side of the attacker, and improves TCP’s robustness to spurious ICMP error messages Does not violate existing requirements ICMP hard errors -> soft errors (if the connection is in a synchronized state) This does not violate existing requirements (reaction to hard errors is stated as a SHOULD for all messages but one, which is stated ambiguosly as a SHOULD/MUST)

Counter-measures (II) Ignore ICMP Source Quench messages meant for TCP connections This does violate a MUST in RFC 1122 However, it is generally accepted that this requirement should be updated Honor ICMP “frag needed” only if there’s no progress on the connection Does not seem to violate any existing requirement In the case of IPsec-protected connections, it may be the only thing you can do If you think about it, it is in line with PLPMTUD: there must be a segment loss for the PMTUD to be reduced

Document path At IETF 64 (Vancouver, BC, Canada) the WG decided to adopt the document as a WG item, for the Informational path Since then, the question has been raised about whether that is the right path for the document. Among other things, we are addressing the TCP-based attacks as standards track, but the (simpler) ICMP-based ones as Informational the fixes have been widely implemented two of the fixes (reset attack, PMTUD attack) do not violate existing requirements the other one (ICMP Source Quench) does violate existing requirements. However, it is widely accepted

Moving forward Before continuing tweaking the document, we should decide which path we want to aim at, and how. A propsal on a way forward resulted from a long chat with the TCPM WG co-chairs

Proposal (I) Split the current document in: A std track document in tsvwg, discussing validation of ICMP error messages (TCP SEQ, reaction depending on connection- state, etc.) for all transport protocols. A BCP/std track PMTUD–specific document. Discuss it either at PMTUD WG, or TCPM WG, or TSV WG. Get feedback from the PMTUD WG folks. These two documents (in TSV WG) would address all transport protocols, with specific sections for each protocol. This is probably “the right thing”… BUT we would need to get everybody (TCP, SCTP, DCCP, etc.) to agree.

Proposal (II) Submit a general document at TSV WG, for the Informational path. This document would contain the rationale for the changes. Have a std track document at TCPM WG, which references the general doc in TSV WG Other transport protocols are free to follow the advice (or not) given in the general doc. If they do, they could reference the general doc to avoid rehashing the discussion of the issues, and just focus on the actual changes that should be made. Would probably take less time than Proposal (I). And it is certainly much better than Proposal (III).

Proposal (III) Stay at the Informational path Make the document more neutral, to “just document what many implementations are doing” This might save time As far as the specifications are concerned, ICMP-based connection-reset issues, etc., would remain open. We probably don’t want this

Moving Forward…. Any comments/questions? Hums?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.