draft-ietf-opsec-icmp-filtering-02.txt   draft-ietf-opsec-icmp-filtering-03.txt 
Operational Security Capabilities for F. Gont Operational Security Capabilities for F. Gont
IP Network Infrastructure (opsec) UTN/FRH IP Network Infrastructure (opsec) UTN/FRH
Internet-Draft G. Gont Internet-Draft G. Gont
Intended status: Informational SI6 Networks Intended status: Informational SI6 Networks
Expires: August 20, 2012 C. Pignataro Expires: September 13, 2012 C. Pignataro
Cisco Cisco
February 17, 2012 March 12, 2012
Recommendations for filtering ICMP messages Recommendations for filtering ICMP messages
draft-ietf-opsec-icmp-filtering-02 draft-ietf-opsec-icmp-filtering-03
Abstract Abstract
This document document provides advice on the filtering of ICMPv4 and This document document provides advice on the filtering of ICMPv4 and
ICMPv6 messages. Additionaly, it discusses the operational and ICMPv6 messages. Additionaly, it discusses the operational and
interoperability implications of such filtering. interoperability implications of such filtering.
Status of this Memo Status of this Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
skipping to change at page 1, line 35 skipping to change at page 1, line 35
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on August 20, 2012. This Internet-Draft will expire on September 13, 2012.
Copyright Notice Copyright Notice
Copyright (c) 2012 IETF Trust and the persons identified as the Copyright (c) 2012 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 3, line 22 skipping to change at page 3, line 22
2.1.3. Redirect (Type 5) . . . . . . . . . . . . . . . . . . 21 2.1.3. Redirect (Type 5) . . . . . . . . . . . . . . . . . . 21
2.1.4. Time Exceeded (Type 11) . . . . . . . . . . . . . . . 23 2.1.4. Time Exceeded (Type 11) . . . . . . . . . . . . . . . 23
2.1.5. Parameter Problem (Type 12) . . . . . . . . . . . . . 25 2.1.5. Parameter Problem (Type 12) . . . . . . . . . . . . . 25
2.2. ICMPv4 Informational Messages . . . . . . . . . . . . . . 26 2.2. ICMPv4 Informational Messages . . . . . . . . . . . . . . 26
2.2.1. Echo or Echo Reply Message . . . . . . . . . . . . . . 26 2.2.1. Echo or Echo Reply Message . . . . . . . . . . . . . . 26
2.2.2. Router Solicitation or Router Advertisement message . 28 2.2.2. Router Solicitation or Router Advertisement message . 28
2.2.3. Timestamp or Timestamp Reply Message . . . . . . . . . 29 2.2.3. Timestamp or Timestamp Reply Message . . . . . . . . . 29
2.2.4. Information Request or Information Reply Message 2.2.4. Information Request or Information Reply Message
(Deprecated) . . . . . . . . . . . . . . . . . . . . . 30 (Deprecated) . . . . . . . . . . . . . . . . . . . . . 30
2.2.5. Address Mask Request or Address Mask Reply . . . . . . 31 2.2.5. Address Mask Request or Address Mask Reply . . . . . . 31
3. Internet Control Message Protocol version 6 (ICMPv6) . . . . . 32 3. Internet Control Message Protocol version 6 (ICMPv6) . . . . . 33
3.1. ICMPv6 Error Messages . . . . . . . . . . . . . . . . . . 34 3.1. ICMPv6 Error Messages . . . . . . . . . . . . . . . . . . 34
3.1.1. Destination Unreachable (Type 1) . . . . . . . . . . . 34 3.1.1. Destination Unreachable (Type 1) . . . . . . . . . . . 34
3.1.2. Packet Too Big Message (Type 2, code 0) . . . . . . . 38 3.1.2. Packet Too Big Message (Type 2, code 0) . . . . . . . 38
3.1.3. Time Exceeded Message (Type 3) . . . . . . . . . . . . 39 3.1.3. Time Exceeded Message (Type 3) . . . . . . . . . . . . 39
3.1.4. Parameter Problem Message (Type 4) . . . . . . . . . . 40 3.1.4. Parameter Problem Message (Type 4) . . . . . . . . . . 40
3.1.5. Private experimentation (Type 100) . . . . . . . . . . 42 3.1.5. Private experimentation (Type 100) . . . . . . . . . . 42
3.1.6. Private experimentation (Type 101) . . . . . . . . . . 42 3.1.6. Private experimentation (Type 101) . . . . . . . . . . 43
3.1.7. Reserved for expansion of ICMPv6 error messages 3.1.7. Reserved for expansion of ICMPv6 error messages
(Type 127) . . . . . . . . . . . . . . . . . . . . . . 43 (Type 127) . . . . . . . . . . . . . . . . . . . . . . 43
3.2. ICMPv6 Informational messages . . . . . . . . . . . . . . 43 3.2. ICMPv6 Informational messages . . . . . . . . . . . . . . 44
3.2.1. Echo Request or Echo Reply Message . . . . . . . . . . 43 3.2.1. Echo Request or Echo Reply Message . . . . . . . . . . 44
3.2.2. Private experimentation (Type 200) . . . . . . . . . . 44 3.2.2. Private experimentation (Type 200) . . . . . . . . . . 44
3.2.3. Private experimentation (Type 201) . . . . . . . . . . 45 3.2.3. Private experimentation (Type 201) . . . . . . . . . . 45
3.2.4. Reserved for expansion of ICMPv6 informational 3.2.4. Reserved for expansion of ICMPv6 informational
messages (Type 255) . . . . . . . . . . . . . . . . . 45 messages (Type 255) . . . . . . . . . . . . . . . . . 45
4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 46 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 46
5. Security Considerations . . . . . . . . . . . . . . . . . . . 46 5. Security Considerations . . . . . . . . . . . . . . . . . . . 46
6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 46 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 46
7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 46 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 47
7.1. Normative References . . . . . . . . . . . . . . . . . . . 46 7.1. Normative References . . . . . . . . . . . . . . . . . . . 47
7.2. Informative References . . . . . . . . . . . . . . . . . . 47 7.2. Informative References . . . . . . . . . . . . . . . . . . 47
Appendix A. Change log (to be removed before publication of
the document as an RFC) . . . . . . . . . . . . . . . 47
A.1. Changes from draft-ietf-opsec-icmp-filtering-00 . . . . . 48
A.2. Changes from draft-gont-opsec-icmp-filtering-00 . . . . . 48
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 48 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 48
1. Introduction 1. Introduction
This document document provides advice on the filtering of ICMPv4 and This document document provides advice on the filtering of ICMPv4 and
ICMPv6 messages. Additionaly, it discusses the operational and ICMPv6 messages. Additionaly, it discusses the operational and
interoperability implications of such filtering. interoperability implications of such filtering.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119]. document are to be interpreted as described in RFC 2119 [RFC2119].
2. Internet Control Message Protocol version 4 (ICMP) 2. Internet Control Message Protocol version 4 (ICMP)
Table 1 summarizes the recommendations. Table 1 summarizes the recommendations with respect to what a device
SHOULD do when generating, forwarding, or receiving ICMPv4 and ICMPv6
messages.
+-------------------------------+-----------+----------+------------+ +-------------------------------+----------+-----------+------------+
| ICMPv4 Message | Sourced | Through | Destined | | ICMPv4 Message | Sourced | Through | Destined |
| | from | Device | to Device | | | from | Device | to Device |
| | Device | | | | | Device | | |
+-------------------------------+-----------+----------+------------+ +-------------------------------+----------+-----------+------------+
| ICMPv4-unreach | N/A | N/A | N/A | | ICMPv4-unreach-net | Rate-L | Rate-L | Rate-L |
+-------------------------------+-----------+----------+------------+ +-------------------------------+----------+-----------+------------+
| ICMPv4-unreach-net | Rate-L | Rate-L | Rate-L | | ICMPv4-unreach-host | Rate-L | Rate-L | Rate-L |
+-------------------------------+-----------+----------+------------+ +-------------------------------+----------+-----------+------------+
| ICMPv4-unreach-host | Rate-L | Rate-L | Rate-L | | ICMPv4-unreach-proto | Rate-L | Deny | Rate-L |
+-------------------------------+-----------+----------+------------+ +-------------------------------+----------+-----------+------------+
| ICMPv4-unreach-proto | Rate-L | Deny | Rate-L | | ICMPv4-unreach-port | Rate-L | Deny | Rate-L |
+-------------------------------+-----------+----------+------------+ +-------------------------------+----------+-----------+------------+
| ICMPv4-unreach-port | Rate-L | Deny | Rate-L | | ICMPv4-unreach-frag-needed | Send | Permit | Rate-L |
+-------------------------------+-----------+----------+------------+ +-------------------------------+----------+-----------+------------+
| ICMPv4-unreach-frag-needed | Send | Permit | Rate-L | | ICMPv4-unreach-src-route | Rate-L | Deny | Rate-L |
+-------------------------------+-----------+----------+------------+ +-------------------------------+----------+-----------+------------+
| ICMPv4-unreach-src-route | Rate-L | Deny | Rate-L | | ICMPv4-unreach-net-unknown | Deny | Deny | Deny |
+-------------------------------+-----------+----------+------------+ | (Depr) | | | |
| ICMPv4-unreach-net-unknown | Depr | Deny | Depr | +-------------------------------+----------+-----------+------------+
+-------------------------------+-----------+----------+------------+ | ICMPv4-unreach-host-unknown | Rate-L | Deny | Ignore |
| ICMPv4-unreach-host-unknown | Rate-L | Deny | Ignore | +-------------------------------+----------+-----------+------------+
+-------------------------------+-----------+----------+------------+ | ICMPv4-unreach-host-isolated | Deny | Deny | Deny |
| ICMPv4-unreach-host-isolated | Depr | Deny | Depr | | (Depr) | | | |
+-------------------------------+-----------+----------+------------+ +-------------------------------+----------+-----------+------------+
| ICMPv4-unreach-net-tos | Rate-L | Deny | Rate-L | | ICMPv4-unreach-net-tos | Rate-L | Deny | Rate-L |
+-------------------------------+-----------+----------+------------+ +-------------------------------+----------+-----------+------------+
| ICMPv4-unreach-host-tos | Rate-L | Deny | Rate-L | | ICMPv4-unreach-host-tos | Rate-L | Deny | Rate-L |
+-------------------------------+-----------+----------+------------+ +-------------------------------+----------+-----------+------------+
| ICMPv4-unreach-admin | Rate-L | Rate-L | Rate-L | | ICMPv4-unreach-admin | Rate-L | Rate-L | Rate-L |
+-------------------------------+-----------+----------+------------+ +-------------------------------+----------+-----------+------------+
| ICMPv4-unreach-prec-violation | Rate-L | Deny | Rate-L | | ICMPv4-unreach-prec-violation | Rate-L | Deny | Rate-L |
+-------------------------------+-----------+----------+------------+ +-------------------------------+----------+-----------+------------+
| ICMPv4-unreach-prec-cutoff | Rate-L | Deny | Rate-L | | ICMPv4-unreach-prec-cutoff | Rate-L | Deny | Rate-L |
+-------------------------------+-----------+----------+------------+ +-------------------------------+----------+-----------+------------+
| ICMPv4-quench | Deny | Deny | Deny | | ICMPv4-quench | Deny | Deny | Deny |
+-------------------------------+-----------+----------+------------+ +-------------------------------+----------+-----------+------------+
| ICMPv4-redirect | N/A | N/A | N/A | | ICMPv4-redirect-net | Rate-L | Deny | Rate-L |
+-------------------------------+-----------+----------+------------+ +-------------------------------+----------+-----------+------------+
| ICMPv4-redirect-net | Rate-L | Deny | Rate-L | | ICMPv4-redirect-host | Rate-L | Deny | Rate-L |
+-------------------------------+-----------+----------+------------+ +-------------------------------+----------+-----------+------------+
| ICMPv4-redirect-host | Rate-L | Deny | Rate-L | | ICMPv4-redirect-tos-net | Rate-L | Deny | Rate-L |
+-------------------------------+-----------+----------+------------+ +-------------------------------+----------+-----------+------------+
| ICMPv4-redirect-tos-net | Rate-L | Deny | Rate-L | | ICMPv4-redirect-tos-host | Rate-L | Deny | Rate-L |
+-------------------------------+-----------+----------+------------+ +-------------------------------+----------+-----------+------------+
| ICMPv4-redirect-tos-host | Rate-L | Deny | Rate-L | | ICMPv4-timed-ttl | Rate-L | Permit | Rate-L |
+-------------------------------+-----------+----------+------------+ +-------------------------------+----------+-----------+------------+
| ICMPv4-timed | N/A | N/A | N/A | | ICMPv4-timed-reass | Rate-L | Permit | Rate-L |
| ICMPv4-timed-ttl | Rate-L | Permit | Rate-L | | ICMPv4-parameter-pointer | Rate-L | Deny | Rate-L |
+-------------------------------+-----------+----------+------------+ +-------------------------------+----------+-----------+------------+
| ICMPv4-timed-reass | Rate-L | Permit | Rate-L | | ICMPv4-option-missing | Rate-L | Deny | Rate-L |
+-------------------------------+-----------+----------+------------+ +-------------------------------+----------+-----------+------------+
| ICMPv4-parameter | N/A | N/A | N/A | | ICMPv4-req-echo-message | Rate-L | Permit | Rate-L |
+-------------------------------+-----------+----------+------------+ +-------------------------------+----------+-----------+------------+
| ICMPv4-parameter-pointer | Rate-L | Deny | Rate-L | | ICMPv4-req-echo-reply | Rate-L | Permit | Rate-L |
+-------------------------------+-----------+----------+------------+ +-------------------------------+----------+-----------+------------+
| ICMPv4-option-missing | Rate-L | Deny | Rate-L | | ICMPv4-req-router-sol | Rate-L | Deny | Rate-L |
+-------------------------------+-----------+----------+------------+ +-------------------------------+----------+-----------+------------+
| ICMPv4-req-echo-message | Rate-L | Permit | Rate-L | | ICMPv4-req-router-adv | Rate-L | Deny | Rate-L |
+-------------------------------+-----------+----------+------------+ +-------------------------------+----------+-----------+------------+
| ICMPv4-req-echo-reply | Rate-L | Permit | Rate-L | | ICMPv4-req-timestamp-message | Rate-L | Deny | Rate-L |
+-------------------------------+-----------+----------+------------+ +-------------------------------+----------+-----------+------------+
| ICMPv4-req-router-sol | Rate-L | Deny | Rate-L | | ICMPv4-req-timestamp-reply | Rate-L | Deny | Rate-L |
+-------------------------------+-----------+----------+------------+ +-------------------------------+----------+-----------+------------+
| ICMPv4-req-router-adv | Rate-L | Deny | Rate-L | | ICMPv4-info-message (Depr) | Deny | Deny | Deny |
+-------------------------------+-----------+----------+------------+ +-------------------------------+----------+-----------+------------+
| ICMPv4-req-timestamp-message | Rate-L | Deny | Rate-L | | ICMPv4-info-reply (Depr) | Deny | Deny | Deny |
+-------------------------------+-----------+----------+------------+ +-------------------------------+----------+-----------+------------+
| ICMPv4-req-timestamp-reply | Rate-L | Deny | Rate-L | | ICMPv4-mask-request | Rate-L | Deny | Rate-L |
+-------------------------------+-----------+----------+------------+ +-------------------------------+----------+-----------+------------+
| ICMPv4-info-message | Depr | Deny | Depr | | ICMPv4-mask-reply | Rate-L | Deny | Rate-L |
+-------------------------------+-----------+----------+------------+ +-------------------------------+----------+-----------+------------+
| ICMPv4-info-reply | Depr | Deny | Depr |
+-------------------------------+-----------+----------+------------+
| ICMPv4-mask-request | Rate-L | Deny | Rate-L |
+-------------------------------+-----------+----------+------------+
| ICMPv4-mask-reply | Rate-L | Deny | Rate-L |
+-------------------------------+-----------+----------+------------+
Legend: "Depr" = Deprecated; "Rate-L" = Rate-Limit Legend: "Depr" = Deprecated; "Rate-L" = Rate-Limit
Table 1: Summary Recommendations for ICMPv4 Table 1: Summary Recommendations for ICMPv4
2.1. ICMPv4 Error Messages 2.1. ICMPv4 Error Messages
[RFC0792] is the base specification for the Internet Control Message [RFC0792] is the base specification for the Internet Control Message
Protocol (ICMP) to be used with the Internet Protocol version 4 Protocol (ICMP) to be used with the Internet Protocol version 4
(IPv4). It defines, among other things, a number of error messages (IPv4). It defines, among other things, a number of error messages
skipping to change at page 8, line 40 skipping to change at page 8, line 36
2.1.1.1.3. Threats 2.1.1.1.3. Threats
An attacker can potentially perform a Denial of Service (DoS) attack An attacker can potentially perform a Denial of Service (DoS) attack
against the router by forcing it to generate a high volume of ICMP against the router by forcing it to generate a high volume of ICMP
Destination Unreachable messages. This can be done by flooding the Destination Unreachable messages. This can be done by flooding the
router with packets which the attacker knows will result in the router with packets which the attacker knows will result in the
router spending resources in generating a high volume of ICMP router spending resources in generating a high volume of ICMP
messages. messages.
This can be mitigated by rate-limiting the rate of IMCP messages This attack be mitigated by rate-limiting the rate of IMCP messages
generated. For rate-limiting ICMPv4 messages see Section 4.3.2.8 of generated. For rate-limiting ICMPv4 messages see Section 4.3.2.8 of
[RFC1812]. [RFC1812].
2.1.1.1.4. Operational and Interoperability Impact if Blocked 2.1.1.1.4. Operational and Interoperability Impact if Blocked
May lead to long delays between connection establishment attempts May lead to long delays between connection establishment attempts
that could have been avoided by those systems aborting non- that could have been avoided by those systems aborting non-
synchronized connections in response to ICMP soft errors [RFC5461]. synchronized connections in response to ICMP soft errors [RFC5461].
2.1.1.2. Host Unreachable (code 1) 2.1.1.2. Host Unreachable (code 1)
skipping to change at page 10, line 14 skipping to change at page 10, line 7
2.1.1.3.2. Message Specification 2.1.1.3.2. Message Specification
Defined in [RFC0792]. [RFC1122] states that a host SHOULD send a Defined in [RFC0792]. [RFC1122] states that a host SHOULD send a
protocol unreachable when the designated transport protocol is not protocol unreachable when the designated transport protocol is not
supported. Section 4.2.3.9 of [RFC1122] states that this message supported. Section 4.2.3.9 of [RFC1122] states that this message
indicates a hard error condition, so TCP SHOULD abort the connection. indicates a hard error condition, so TCP SHOULD abort the connection.
2.1.1.3.3. Threats 2.1.1.3.3. Threats
Can be exploited to perform connection-reset attacks [RFC5927]. Can be exploited to perform connection-reset attacks [RFC5927]. Such
attacks need to be mitigated at hosts, as discussed in [RFC5927].
An attacker can potentially perform a Denial of Service (DoS) attack An attacker can potentially perform a Denial of Service (DoS) attack
against the router by forcing it to generate a high volume of ICMP against the router by forcing it to generate a high volume of ICMP
Destination Unreachable messages. This can be done by flooding the Destination Unreachable messages. This can be done by flooding the
router with packets which the attacker knows will result in the router with packets which the attacker knows will result in the
router spending resources in generating a high volume of ICMP router spending resources in generating a high volume of ICMP
messages. messages. These DoS attacks can be mitigated by rate-limiting the
rate of IMCP messages generated. For rate-limiting ICMPv4 messages
This can be mitigated by rate-limiting the rate of IMCP messages see Section 4.3.2.8 of [RFC1812].
generated. For rate-limiting ICMPv4 messages see Section 4.3.2.8 of
[RFC1812].
2.1.1.3.4. Operational and Interoperability Impact if Blocked 2.1.1.3.4. Operational and Interoperability Impact if Blocked
None. None.
2.1.1.4. Port Unreachable (code 3) 2.1.1.4. Port Unreachable (code 3)
2.1.1.4.1. Uses 2.1.1.4.1. Uses
Used by end-systems to signal the source system that it could not Used by end-systems to signal the source system that it could not
skipping to change at page 11, line 11 skipping to change at page 11, line 7
but has no protocol mechanism to inform the sender. Additionally, it but has no protocol mechanism to inform the sender. Additionally, it
states that a transport protocol that has its own mechanism for states that a transport protocol that has its own mechanism for
notifying the sender that a port is unreachable MUST nevertheless notifying the sender that a port is unreachable MUST nevertheless
accept an ICMP Port Unreachable for the same purpose. accept an ICMP Port Unreachable for the same purpose.
Section 4.2.3.9 of [RFC1122] states that this message indicates a Section 4.2.3.9 of [RFC1122] states that this message indicates a
hard error condition, so TCP SHOULD abort the connection. hard error condition, so TCP SHOULD abort the connection.
2.1.1.4.3. Threats 2.1.1.4.3. Threats
Can be abused to perform connection-reset attacks [RFC5927]. Can be exploited to perform connection-reset attacks [RFC5927]. Such
attacks need to be mitigated at hosts, as discussed in [RFC5927].
An attacker can potentially perform a Denial of Service (DoS) attack An attacker can potentially perform a Denial of Service (DoS) attack
against the router by forcing it to generate a high volume of ICMP against the router by forcing it to generate a high volume of ICMP
Destination Unreachable messages. This can be done by flooding the Destination Unreachable messages. This can be done by flooding the
router with packets which the attacker knows will result in the router with packets which the attacker knows will result in the
router spending resources in generating a high volume of ICMP router spending resources in generating a high volume of ICMP
messages. messages. These DoS attacks can be mitigated by rate-limiting the
rate of IMCP messages generated. For rate-limiting ICMPv4 messages
This can be mitigated by rate-limiting the rate of IMCP messages see Section 4.3.2.8 of [RFC1812].
generated. For rate-limiting ICMPv4 messages see Section 4.3.2.8 of
[RFC1812].
2.1.1.4.4. Operational and Interoperability Impact if Blocked 2.1.1.4.4. Operational and Interoperability Impact if Blocked
May lead to long delays between connection establishment attempts or May lead to long delays between connection establishment attempts or
long response times that could have been avoided by aborting non- long response times that could have been avoided by aborting non-
synchronized connections in response to ICMP soft errors [RFC5461]. synchronized connections in response to ICMP soft errors [RFC5461].
2.1.1.5. Fragmentation Needed and DF Set (code 4) 2.1.1.5. Fragmentation Needed and DF Set (code 4)
2.1.1.5.1. Uses 2.1.1.5.1. Uses
skipping to change at page 13, line 21 skipping to change at page 13, line 14
2.1.1.7.3. Threats 2.1.1.7.3. Threats
An attacker can potentially perform a Denial of Service (DoS) attack An attacker can potentially perform a Denial of Service (DoS) attack
against the router by forcing it to generate a high volume of ICMP against the router by forcing it to generate a high volume of ICMP
Destination Unreachable messages. This can be done by flooding the Destination Unreachable messages. This can be done by flooding the
router with packets which the attacker knows will result in the router with packets which the attacker knows will result in the
router spending resources in generating a high volume of ICMP router spending resources in generating a high volume of ICMP
messages. messages.
This can be mitigated by rate-limiting the rate of IMCP messages This can be mitigated by not-generating and dropping (rather than
generated. For rate-limiting ICMPv4 messages see Section 4.3.2.8 of forwarding) these messages (since they have been deprecated).
[RFC1812].
2.1.1.7.4. Operational and Interoperability Impact if Blocked 2.1.1.7.4. Operational and Interoperability Impact if Blocked
May lead to long delays between connection establishment attempts or May lead to long delays between connection establishment attempts or
long response times that could have been avoided by aborting non- long response times that could have been avoided by aborting non-
synchronized connections in response to ICMP soft errors [RFC5461]. synchronized connections in response to ICMP soft errors [RFC5461].
2.1.1.8. Destination Host Unknown (code 7) 2.1.1.8. Destination Host Unknown (code 7)
2.1.1.8.1. Uses 2.1.1.8.1. Uses
skipping to change at page 15, line 25 skipping to change at page 15, line 22
2.1.1.10.2. Message Specification 2.1.1.10.2. Message Specification
This error code is defined in [RFC1122], and was intended for use by This error code is defined in [RFC1122], and was intended for use by
end-to-end encryption devices used by U.S military agencies. end-to-end encryption devices used by U.S military agencies.
[RFC1812] deprecates its use, stating that routers SHOULD use the [RFC1812] deprecates its use, stating that routers SHOULD use the
Code 13 (Communication Administratively Prohibited) if they Code 13 (Communication Administratively Prohibited) if they
administratively filter packets. administratively filter packets.
2.1.1.10.3. Threats 2.1.1.10.3. Threats
May reveal filtering policies. May reveal filtering policies. In orther to mitigate this issue, a
node could deny the generation of these error messages. However, we
note that this would also have a negative impact on network
troubleshooting.
An attacker can potentially perform a Denial of Service (DoS) attack An attacker can potentially perform a Denial of Service (DoS) attack
against the router by forcing it to generate a high volume of ICMP against the router by forcing it to generate a high volume of ICMP
Destination Unreachable messages. This can be done by flooding the Destination Unreachable messages. This can be done by flooding the
router with packets which the attacker knows will result in the router with packets which the attacker knows will result in the
router spending resources in generating a high volume of ICMP router spending resources in generating a high volume of ICMP
messages. messages. These DoS attacks can be mitigated by rate-limiting the
rate of IMCP messages generated. For rate-limiting ICMPv4 messages
This can be mitigated by rate-limiting the rate of IMCP messages see Section 4.3.2.8 of [RFC1812].
generated. For rate-limiting ICMPv4 messages see Section 4.3.2.8 of
[RFC1812].
2.1.1.10.4. Operational and Interoperability Impact if Blocked 2.1.1.10.4. Operational and Interoperability Impact if Blocked
May lead to long delays between connection establishment attempts or May lead to long delays between connection establishment attempts or
long response times that could have been avoided by aborting non- long response times that could have been avoided by aborting non-
synchronized connections in response to ICMP soft errors [RFC5461]. synchronized connections in response to ICMP soft errors [RFC5461].
However, this error message is deprecated, and thus system should not However, this error message is deprecated, and thus system should not
depend on it for any purpose. depend on it for any purpose.
2.1.1.11. Communication with Destination Host Administratively 2.1.1.11. Communication with Destination Host Administratively
skipping to change at page 16, line 17 skipping to change at page 16, line 15
2.1.1.11.2. Message Specification 2.1.1.11.2. Message Specification
This error code is defined in [RFC1122], and was intended for use by This error code is defined in [RFC1122], and was intended for use by
end-to-end encryption devices used by U.S military agencies. end-to-end encryption devices used by U.S military agencies.
[RFC1812] deprecates its use, stating that routers SHOULD use the [RFC1812] deprecates its use, stating that routers SHOULD use the
Code 13 (Communication Administratively Prohibited) if they Code 13 (Communication Administratively Prohibited) if they
administratively filter packets. administratively filter packets.
2.1.1.11.3. Threats 2.1.1.11.3. Threats
May reveal filtering policies. May reveal filtering policies. In orther to mitigate this issue, a
node could deny the generation of these error messages. However, we
note that this would also have a negative impact on network
troubleshooting.
An attacker can potentially perform a Denial of Service (DoS) attack An attacker can potentially perform a Denial of Service (DoS) attack
against the router by forcing it to generate a high volume of ICMP against the router by forcing it to generate a high volume of ICMP
Destination Unreachable messages. This can be done by flooding the Destination Unreachable messages. This can be done by flooding the
router with packets which the attacker knows will result in the router with packets which the attacker knows will result in the
router spending resources in generating a high volume of ICMP router spending resources in generating a high volume of ICMP
messages. messages.
This can be mitigated by rate-limiting the rate of IMCP messages This can be mitigated by rate-limiting the rate of ICMP messages
generated. For rate-limiting ICMPv4 messages see Section 4.3.2.8 of generated. For rate-limiting ICMPv4 messages see Section 4.3.2.8 of
[RFC1812]. [RFC1812].
2.1.1.11.4. Operational and Interoperability Impact if Blocked 2.1.1.11.4. Operational and Interoperability Impact if Blocked
May lead to long delays between connection establishment attempts or May lead to long delays between connection establishment attempts or
long response times that could have been avoided by aborting non- long response times that could have been avoided by aborting non-
synchronized connections in response to ICMP soft errors [RFC5461]. synchronized connections in response to ICMP soft errors [RFC5461].
However, this error message is deprecated, and thus system should not However, this error message is deprecated, and thus system should not
depend on it for any purpose. depend on it for any purpose.
skipping to change at page 17, line 23 skipping to change at page 17, line 23
2.1.1.12.3. Threats 2.1.1.12.3. Threats
May reveal routing policies. May reveal routing policies.
An attacker can potentially perform a Denial of Service (DoS) attack An attacker can potentially perform a Denial of Service (DoS) attack
against the router by forcing it to generate a high volume of ICMP against the router by forcing it to generate a high volume of ICMP
Destination Unreachable messages. This can be done by flooding the Destination Unreachable messages. This can be done by flooding the
router with packets which the attacker knows will result in the router with packets which the attacker knows will result in the
router spending resources in generating a high volume of ICMP router spending resources in generating a high volume of ICMP
messages. messages. This can be mitigated by rate-limiting the rate of ICMP
messages generated. For rate-limiting ICMPv4 messages see Section
This can be mitigated by rate-limiting the rate of IMCP messages 4.3.2.8 of [RFC1812].
generated. For rate-limiting ICMPv4 messages see Section 4.3.2.8 of
[RFC1812].
2.1.1.12.4. Operational and Interoperability Impact if Blocked 2.1.1.12.4. Operational and Interoperability Impact if Blocked
May lead to long delays between connection establishment attempts or May lead to long delays between connection establishment attempts or
long response times that could have been avoided by aborting non- long response times that could have been avoided by aborting non-
synchronized connections in response to ICMP soft errors [RFC5461]. synchronized connections in response to ICMP soft errors [RFC5461].
2.1.1.13. Host Unreachable for Type of Service (code 12) 2.1.1.13. Host Unreachable for Type of Service (code 12)
2.1.1.13.1. Uses 2.1.1.13.1. Uses
skipping to change at page 18, line 15 skipping to change at page 18, line 14
2.1.1.13.2. Threats 2.1.1.13.2. Threats
May reveal routing policies. May reveal routing policies.
An attacker can potentially perform a Denial of Service (DoS) attack An attacker can potentially perform a Denial of Service (DoS) attack
against the router by forcing it to generate a high volume of ICMP against the router by forcing it to generate a high volume of ICMP
Destination Unreachable messages. This can be done by flooding the Destination Unreachable messages. This can be done by flooding the
router with packets which the attacker knows will result in the router with packets which the attacker knows will result in the
router spending resources in generating a high volume of ICMP router spending resources in generating a high volume of ICMP
messages. messages. This can be mitigated by rate-limiting the rate of ICMP
messages generated. For rate-limiting ICMPv4 messages see Section
This can be mitigated by rate-limiting the rate of IMCP messages 4.3.2.8 of [RFC1812].
generated. For rate-limiting ICMPv4 messages see Section 4.3.2.8 of
[RFC1812].
2.1.1.13.3. Operational and Interoperability Impact if Blocked 2.1.1.13.3. Operational and Interoperability Impact if Blocked
May lead to long delays between connection establishment attempts or May lead to long delays between connection establishment attempts or
long response times that could have been avoided by aborting non- long response times that could have been avoided by aborting non-
synchronized connections in response to ICMP soft errors [RFC5461]. synchronized connections in response to ICMP soft errors [RFC5461].
2.1.1.14. Communication Administratively Prohibited (code 13) 2.1.1.14. Communication Administratively Prohibited (code 13)
2.1.1.14.1. Uses 2.1.1.14.1. Uses
skipping to change at page 19, line 6 skipping to change at page 18, line 51
Given that the semantics of this error message are not accurately Given that the semantics of this error message are not accurately
specified, some systems might abort transport connections upon specified, some systems might abort transport connections upon
receipt of this error message. [RFC5927]. receipt of this error message. [RFC5927].
An attacker can potentially perform a Denial of Service (DoS) attack An attacker can potentially perform a Denial of Service (DoS) attack
against the router by forcing it to generate a high volume of ICMP against the router by forcing it to generate a high volume of ICMP
Destination Unreachable messages. This can be done by flooding the Destination Unreachable messages. This can be done by flooding the
router with packets which the attacker knows will result in the router with packets which the attacker knows will result in the
router spending resources in generating a high volume of ICMP router spending resources in generating a high volume of ICMP
messages. This can be mitigated by rate-limiting the rate of IMCP messages. This can be mitigated by rate-limiting the rate of ICMP
messages generated. For rate-limiting ICMPv4 messages see Section messages generated. For rate-limiting ICMPv4 messages see Section
4.3.2.8 of [RFC1812]. 4.3.2.8 of [RFC1812].
2.1.1.14.4. Operational and Interoperability Impact if Blocked 2.1.1.14.4. Operational and Interoperability Impact if Blocked
May lead to long delays between connection establishment attempts or May lead to long delays between connection establishment attempts or
long response times that could have been avoided by aborting non- long response times that could have been avoided by aborting non-
synchronized connections in response to ICMP soft errors [RFC5461]. synchronized connections in response to ICMP soft errors [RFC5461].
2.1.1.15. Host Precedence Violation (code 14) 2.1.1.15. Host Precedence Violation (code 14)
skipping to change at page 19, line 41 skipping to change at page 19, line 37
2.1.1.15.3. Threats 2.1.1.15.3. Threats
May reveal routing policies. May reveal routing policies.
An attacker can potentially perform a Denial of Service (DoS) attack An attacker can potentially perform a Denial of Service (DoS) attack
against the router by forcing it to generate a high volume of ICMP against the router by forcing it to generate a high volume of ICMP
Destination Unreachable messages. This can be done by flooding the Destination Unreachable messages. This can be done by flooding the
router with packets which the attacker knows will result in the router with packets which the attacker knows will result in the
router spending resources in generating a high volume of ICMP router spending resources in generating a high volume of ICMP
messages. This can be mitigated by rate-limiting the rate of IMCP messages. This can be mitigated by rate-limiting the rate of ICMP
messages generated. For rate-limiting ICMPv4 messages see Section messages generated. For rate-limiting ICMPv4 messages see Section
4.3.2.8 of [RFC1812]. 4.3.2.8 of [RFC1812].
2.1.1.15.4. Operational and Interoperability Impact if Blocked 2.1.1.15.4. Operational and Interoperability Impact if Blocked
May lead to long delays between connection establishment attempts or May lead to long delays between connection establishment attempts or
long response times that could have been avoided by aborting non- long response times that could have been avoided by aborting non-
synchronized connections in response to ICMP soft errors [RFC5461]. synchronized connections in response to ICMP soft errors [RFC5461].
2.1.1.16. Precedence Cutoff in Effect (code 15) 2.1.1.16. Precedence Cutoff in Effect (code 15)
skipping to change at page 20, line 26 skipping to change at page 20, line 23
imposed a minimum level of precedence required for operation, and a imposed a minimum level of precedence required for operation, and a
datagram was sent with a precedence below this level. datagram was sent with a precedence below this level.
2.1.1.16.3. Threats 2.1.1.16.3. Threats
An attacker can potentially perform a Denial of Service (DoS) attack An attacker can potentially perform a Denial of Service (DoS) attack
against the router by forcing it to generate a high volume of ICMP against the router by forcing it to generate a high volume of ICMP
Destination Unreachable messages. This can be done by flooding the Destination Unreachable messages. This can be done by flooding the
router with packets which the attacker knows will result in the router with packets which the attacker knows will result in the
router spending resources in generating a high volume of ICMP router spending resources in generating a high volume of ICMP
messages. This can be mitigated by rate-limiting the rate of IMCP messages. This can be mitigated by rate-limiting the rate of ICMP
messages generated. For rate-limiting ICMPv4 messages see Section messages generated. For rate-limiting ICMPv4 messages see Section
4.3.2.8 of [RFC1812]. 4.3.2.8 of [RFC1812].
2.1.1.16.4. Operational and Interoperability Impact if Blocked 2.1.1.16.4. Operational and Interoperability Impact if Blocked
May lead to long delays between connection establishment attempts or May lead to long delays between connection establishment attempts or
long response times that could have been avoided by aborting non- long response times that could have been avoided by aborting non-
synchronized connections in response to ICMP soft errors [RFC5461]. synchronized connections in response to ICMP soft errors [RFC5461].
2.1.2. Source Quench (Type 4, Code 0) 2.1.2. Source Quench (Type 4, Code 0)
skipping to change at page 21, line 48 skipping to change at page 21, line 43
2.1.3.1.2. Message Specification 2.1.3.1.2. Message Specification
Defined in [RFC0792]. Defined in [RFC0792].
2.1.3.1.3. Threats 2.1.3.1.3. Threats
Can be abused by an attacker to redirect all or some traffic to Can be abused by an attacker to redirect all or some traffic to
himself and/or to perform a DoS attack. himself and/or to perform a DoS attack.
This issue could be mitigated by disabling reaction to ICMP Redirect
messages at hosts and/or dropping these messages at the network.
2.1.3.1.4. Operational and Interoperability Impact if Blocked 2.1.3.1.4. Operational and Interoperability Impact if Blocked
If the ICMP redirect was originated in some network segment other If the ICMP redirect was originated in some network segment other
than the one it should be forwarded on, there is no operational than the one it should be forwarded on, there is no operational
impact, as the message is bogus or part of an attack. If an ICMP impact, as the message is bogus or part of an attack. If an ICMP
Redirect that was locally generated is blocked, the end-system will Redirect that was locally generated is blocked, the end-system will
not be informed of the better first-hop for reaching the target not be informed of the better first-hop for reaching the target
network, and thus this would result in less-optimum routes being used network, and thus this would result in less-optimum routes being used
to get the target network. to get the target network.
skipping to change at page 22, line 25 skipping to change at page 22, line 23
2.1.3.2.2. Message Specification 2.1.3.2.2. Message Specification
Defined in [RFC0792]. Defined in [RFC0792].
2.1.3.2.3. Threats 2.1.3.2.3. Threats
Can be abused by an attacker to redirect all or some traffic to Can be abused by an attacker to redirect all or some traffic to
himself and/or to perform a DoS attack. himself and/or to perform a DoS attack.
This issue could be mitigated by disabling reaction to ICMP Redirect
messages at hosts and/or dropping these messages at the network.
2.1.3.2.4. Operational and Interoperability Impact if Blocked 2.1.3.2.4. Operational and Interoperability Impact if Blocked
If the ICMP redirect was originated in some network segment other If the ICMP redirect was originated in some network segment other
than the one it should be forwarded on, there is no operational than the one it should be forwarded on, there is no operational
impact, as the message is bogus or part of an attack. If an ICMP impact, as the message is bogus or part of an attack. If an ICMP
Redirect that was locally generated is blocked, the end-system will Redirect that was locally generated is blocked, the end-system will
not be informed of the better first-hop for reaching the target not be informed of the better first-hop for reaching the target
network, and thus this would result in less-optimum routes being used network, and thus this would result in less-optimum routes being used
to get the target network. to get the target network.
skipping to change at page 23, line 5 skipping to change at page 23, line 10
2.1.3.3.2. Message Specification 2.1.3.3.2. Message Specification
Defined in [RFC0792]. Defined in [RFC0792].
2.1.3.3.3. Threats 2.1.3.3.3. Threats
Can be abused by an attacker to direct all or some traffic to himself Can be abused by an attacker to direct all or some traffic to himself
and/or to perform a DoS attack. and/or to perform a DoS attack.
This issue could be mitigated by disabling reaction to ICMP Redirect
messages at hosts and/or dropping these messages at the network.
2.1.3.3.4. Operational and Interoperability Impact if Blocked 2.1.3.3.4. Operational and Interoperability Impact if Blocked
If the ICMP redirect was originated in some network segment other If the ICMP redirect was originated in some network segment other
than the one it should be forwarded on, there is no operational than the one it should be forwarded on, there is no operational
impact, as the message is bogus or part of an attack. If an ICMP impact, as the message is bogus or part of an attack. If an ICMP
Redirect that was locally generated is blocked, the end-system will Redirect that was locally generated is blocked, the end-system will
not be informed of the better first-hop for reaching the target not be informed of the better first-hop for reaching the target
network, and thus this would result in less-optimum routes being used network, and thus this would result in less-optimum routes being used
to get the target network. to get the target network.
skipping to change at page 27, line 31 skipping to change at page 27, line 31
respect to the generation and processing of ICMP Echo or Echo Reply respect to the generation and processing of ICMP Echo or Echo Reply
messsages, including: maximum ICMP message size all routers are messsages, including: maximum ICMP message size all routers are
required to receive, a number of factors that may determine whether a required to receive, a number of factors that may determine whether a
router responds (or not) to an ICMP Echo message, the implementation router responds (or not) to an ICMP Echo message, the implementation
of a user/application-layer interface, and the processing of Record of a user/application-layer interface, and the processing of Record
Route, Timestamp and/or Source Route options that might be present in Route, Timestamp and/or Source Route options that might be present in
an ICMP Echo message. an ICMP Echo message.
2.2.1.1.3. Threats 2.2.1.1.3. Threats
Can be used for network mapping [icmp-scanning]. Has been exploited Can be used for network mapping [icmp-scanning]. This vector could
to perform Smurf attacks [smurf]. be partially mitigated by applying rate-limit to this traffic.
Has been exploited to perform Smurf attacks [smurf]. A router could
mitigate this by dropping ICMP echor request messages directed to any
of its directly-connected subnets.
2.2.1.1.4. Operational and Interoperability Impact if Blocked 2.2.1.1.4. Operational and Interoperability Impact if Blocked
Filtering this error message will break the ping tool. The best Filtering this error message will break the ping tool. The best
current practice is to rate-limit this ICMP message. current practice is to rate-limit this ICMP message.
2.2.1.2. Echo Reply Message (Type 0, code 0) 2.2.1.2. Echo Reply Message (Type 0, code 0)
2.2.1.2.1. Uses 2.2.1.2.1. Uses
skipping to change at page 31, line 8 skipping to change at page 31, line 16
Defined in [RFC0792]. Defined in [RFC0792].
These messages are described in [RFC0792] as "a way for a host to These messages are described in [RFC0792] as "a way for a host to
find out the number of the network it is on". Section 3.2.2.7 of find out the number of the network it is on". Section 3.2.2.7 of
[RFC1122] and Section 4.3.3.7 of [RFC1812] deprecate the use of these [RFC1122] and Section 4.3.3.7 of [RFC1812] deprecate the use of these
messages. messages.
2.2.4.1.3. Threats 2.2.4.1.3. Threats
Allows for OS (Operating Sytem) and device fingerprintng. Allows for OS (Operating Sytem) and device fingerprintng. Since this
messages have been deprecated, the best possible mitigation is to not
generate and to drop any received Information Request messages.
2.2.4.1.4. Operational and Interoperability Impact if Blocked 2.2.4.1.4. Operational and Interoperability Impact if Blocked
None. None.
2.2.4.2. Information Reply Message (type 16, code 0) 2.2.4.2. Information Reply Message (type 16, code 0)
2.2.4.2.1. Uses 2.2.4.2.1. Uses
These messages originally provided a basic and simple mechanism for These messages originally provided a basic and simple mechanism for
skipping to change at page 33, line 40 skipping to change at page 34, line 4
| ICMPv6-timed-hop-limit | Send | Permit | Rate-L | | ICMPv6-timed-hop-limit | Send | Permit | Rate-L |
+---------------------------------+-----------+---------+-----------+ +---------------------------------+-----------+---------+-----------+
| ICMPv6-timed-reass | Send | Permit | Rate-L | | ICMPv6-timed-reass | Send | Permit | Rate-L |
+---------------------------------+-----------+---------+-----------+ +---------------------------------+-----------+---------+-----------+
| ICMPv6-parameter | Rate-L | Permit | Rate-L | | ICMPv6-parameter | Rate-L | Permit | Rate-L |
+---------------------------------+-----------+---------+-----------+ +---------------------------------+-----------+---------+-----------+
| ICMPv6-parameter-err-header | Rate-L | Deny | Rate-L | | ICMPv6-parameter-err-header | Rate-L | Deny | Rate-L |
+---------------------------------+-----------+---------+-----------+ +---------------------------------+-----------+---------+-----------+
| ICMPv6-parameter-unrec-header | Rate-L | Deny | Rate-L | | ICMPv6-parameter-unrec-header | Rate-L | Deny | Rate-L |
+---------------------------------+-----------+---------+-----------+ +---------------------------------+-----------+---------+-----------+
+---------------------------------+-----------+---------+-----------+
| ICMPv6-parameter-unrec-option | Rate-L | Permit | Rate-L | | ICMPv6-parameter-unrec-option | Rate-L | Permit | Rate-L |
+---------------------------------+-----------+---------+-----------+ +---------------------------------+-----------+---------+-----------+
| ICMPv6-err-private-exp-100 | Send | Deny | Rate-L | | ICMPv6-err-private-exp-100 | Send | Deny | Rate-L |
+---------------------------------+-----------+---------+-----------+ +---------------------------------+-----------+---------+-----------+
| ICMPv6-err-private-exp-101 | Send | Deny | Rate-L | | ICMPv6-err-private-exp-101 | Send | Deny | Rate-L |
+---------------------------------+-----------+---------+-----------+ +---------------------------------+-----------+---------+-----------+
| ICMPv6-err-expansion | Send | Permit | Rate-L | | ICMPv6-err-expansion | Send | Permit | Rate-L |
+---------------------------------+-----------+---------+-----------+ +---------------------------------+-----------+---------+-----------+
| ICMPv6-echo-message | Send | Permit | Rate-L | | ICMPv6-echo-message | Send | Permit | Rate-L |
+---------------------------------+-----------+---------+-----------+ +---------------------------------+-----------+---------+-----------+
| ICMPv6-echo-reply | Send | Permit | Rate-L | | ICMPv6-echo-reply | Send | Permit | Rate-L |
+---------------------------------+-----------+---------+-----------+ +---------------------------------+-----------+---------+-----------+
| ICMPv6-info-private-exp-200 | Send | Deny | Rate-L | | ICMPv6-info-private-exp-200 | Send | Deny | Rate-L |
+---------------------------------+-----------+---------+-----------+
| ICMPv6-info-private-exp-201 | Send | Deny | Rate-L | | ICMPv6-info-private-exp-201 | Send | Deny | Rate-L |
+---------------------------------+-----------+---------+-----------+ +---------------------------------+-----------+---------+-----------+
| ICMPv6-info-expansion | Send | Permit | Rate-L | | ICMPv6-info-expansion | Send | Permit | Rate-L |
+---------------------------------+-----------+---------+-----------+ +---------------------------------+-----------+---------+-----------+
Legend: "Rate-L" = Rate-Limit Legend: "Rate-L" = Rate-Limit
Table 2: Summary Recommendations for ICMPv6 Table 2: Summary Recommendations for ICMPv6
3.1. ICMPv6 Error Messages 3.1. ICMPv6 Error Messages
skipping to change at page 39, line 14 skipping to change at page 39, line 22
3.1.2.3. Threats 3.1.2.3. Threats
This error message can be used to perform Denial of Service (DoS) This error message can be used to perform Denial of Service (DoS)
attacks against transport protocols. [RFC5927] describes the use of attacks against transport protocols. [RFC5927] describes the use of
this error message to attack TCP connections. this error message to attack TCP connections.
3.1.2.4. Operational and Interoperability Impact if Blocked 3.1.2.4. Operational and Interoperability Impact if Blocked
Filtering this error message will break the Path-MTU Discovery Filtering this error message will break the Path-MTU Discovery
mechanism defined in [RFC1981]. mechanism defined in [RFC1981], which could lead to a Denial of
Service (unless the sending node implements some for of Path-MTU
blackhole detection).
3.1.3. Time Exceeded Message (Type 3) 3.1.3. Time Exceeded Message (Type 3)
3.1.3.1. Hop limit exceeded in transit (code 0) 3.1.3.1. Hop limit exceeded in transit (code 0)
3.1.3.1.1. Uses 3.1.3.1.1. Uses
A number of systems abort connections in non-synchronized states in A number of systems abort connections in non-synchronized states in
response to this message, to avoid long delays in connection response to this message, to avoid long delays in connection
establishment attempts [RFC5461]. establishment attempts [RFC5461].
skipping to change at page 46, line 27 skipping to change at page 46, line 36
5. Security Considerations 5. Security Considerations
This document does not introduce any new security implications. It This document does not introduce any new security implications. It
attempts to help mitigate security threats that rely on ICMP or attempts to help mitigate security threats that rely on ICMP or
ICMPv6 messages, through packet filtering and rate-limiting. ICMPv6 messages, through packet filtering and rate-limiting.
6. Acknowledgements 6. Acknowledgements
The authors would like to thank (in alphabetical order) Steinthor The authors would like to thank (in alphabetical order) Steinthor
Bjarnason and Alfred Hoenes for their valuable feedback on earlier Bjarnason, Alfred Hoenes, and Panos Kampanakis, for their valuable
versions of this document. feedback on earlier versions of this document.
The survey of ICMP specifications is based on a yet-to-be-published The survey of ICMP specifications is based on a yet-to-be-published
internet-draft on ICMP by Fernando Gont and Carlos Pignataro. This internet-draft on ICMP by Fernando Gont and Carlos Pignataro. This
document borrows its structure from the "ICMP filtering" wiki started document borrows its structure from the "ICMP filtering" wiki started
by George Jones. by George Jones.
7. References 7. References
7.1. Normative References 7.1. Normative References
[RFC0792] Postel, J., "Internet Control Message Protocol", STD 5, [RFC0792] Postel, J., "Internet Control Message Protocol", STD 5,
RFC 792, September 1981. RFC 792, September 1981.
[RFC1122] Braden, R., "Requirements for Internet Hosts - [RFC1122] Braden, R., "Requirements for Internet Hosts -
Communication Layers", STD 3, RFC 1122, October 1989. Communication Layers", STD 3, RFC 1122, October 1989.
[RFC1191] Mogul, J. and S. Deering, "Path MTU discovery", RFC 1191, [RFC1191] Mogul, J. and S. Deering, "Path MTU discovery", RFC 1191,
November 1990. November 1990.
skipping to change at page 47, line 29 skipping to change at page 47, line 41
Message Protocol (ICMPv6) for the Internet Protocol Message Protocol (ICMPv6) for the Internet Protocol
Version 6 (IPv6) Specification", RFC 4443, March 2006. Version 6 (IPv6) Specification", RFC 4443, March 2006.
[RFC5681] Allman, M., Paxson, V., and E. Blanton, "TCP Congestion [RFC5681] Allman, M., Paxson, V., and E. Blanton, "TCP Congestion
Control", RFC 5681, September 2009. Control", RFC 5681, September 2009.
7.2. Informative References 7.2. Informative References
[I-D.ietf-tsvwg-source-quench] [I-D.ietf-tsvwg-source-quench]
Gont, F., "Deprecation of ICMP Source Quench messages", Gont, F., "Deprecation of ICMP Source Quench messages",
draft-ietf-tsvwg-source-quench-04 (work in progress), draft-ietf-tsvwg-source-quench-06 (work in progress),
January 2012. February 2012.
[RFC5461] Gont, F., "TCP's Reaction to Soft Errors", RFC 5461, [RFC5461] Gont, F., "TCP's Reaction to Soft Errors", RFC 5461,
February 2009. February 2009.
[RFC5927] Gont, F., "ICMP Attacks against TCP", RFC 5927, July 2010. [RFC5927] Gont, F., "ICMP Attacks against TCP", RFC 5927, July 2010.
[icmp-scanning] [icmp-scanning]
Arkin, 0., "ICMP Usage in Scanning: The Complete Know- Arkin, 0., "ICMP Usage in Scanning: The Complete Know-
How", http://www.sys-security.com/archive/papers/ How", http://www.sys-security.com/archive/papers/
ICMP_Scanning_v3.0.pdf, 2001. ICMP_Scanning_v3.0.pdf, 2001.
[smurf] CERT, "CERT Advisory CA-1998-01: Smurf IP Denial-of- [smurf] CERT, "CERT Advisory CA-1998-01: Smurf IP Denial-of-
Service Attacks", Service Attacks",
http://www.cert.org/advisories/CA-1998-01.html, 1998. http://www.cert.org/advisories/CA-1998-01.html, 1998.
Appendix A. Change log (to be removed before publication of the
document as an RFC)
A.1. Changes from draft-ietf-opsec-icmp-filtering-00
o Populated a few more sections
o Updated outdated references
o Minor editorial changes
A.2. Changes from draft-gont-opsec-icmp-filtering-00
o Resubmitted the Internet Draft as "draft-ietf"
o Swapped order of the "Uses" and "Message Specification" sections
for each of the ICMP messages, as suggested by Alfred Hoenes.
o Populated a number of sections of the draft.
Authors' Addresses Authors' Addresses
Fernando Gont Fernando Gont
Universidad Tecnologica Nacional / Facultad Regional Haedo Universidad Tecnologica Nacional / Facultad Regional Haedo
Pueyrredon 76, 3A Pueyrredon 76, 3A
Ramos Mejia, Provincia de Buenos Aires 1704 Ramos Mejia, Provincia de Buenos Aires 1704
Argentina Argentina
Phone: +54 11 4650 8472 Phone: +54 11 4650 8472
Email: fernando@gont.com.ar Email: fernando@gont.com.ar
 End of changes. 38 change blocks. 
159 lines changed or deleted 146 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/