draft-ietf-tcpm-icmp-attacks-03.txt   draft-ietf-tcpm-icmp-attacks-04.txt 
TCP Maintenance and Minor F. Gont TCP Maintenance and Minor F. Gont
Extensions (tcpm) UTN/FRH Extensions (tcpm) UTN/FRH
Intended status: Informational Intended status: Informational
Expires: September 15, 2008 Expires: April 30, 2009
ICMP attacks against TCP ICMP attacks against TCP
draft-ietf-tcpm-icmp-attacks-03.txt draft-ietf-tcpm-icmp-attacks-04.txt
Status of this Memo Status of this Memo
By submitting this Internet-Draft, each author represents that any By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79. aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
skipping to change at page 1, line 35 skipping to change at page 1, line 35
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on September 15, 2008. This Internet-Draft will expire on April 30, 2009.
Abstract Abstract
This document discusses the use of the Internet Control Message This document discusses the use of the Internet Control Message
Protocol (ICMP) to perform a variety of attacks against the Protocol (ICMP) to perform a variety of attacks against the
Transmission Control Protocol (TCP) and other similar protocols. Transmission Control Protocol (TCP) and other similar protocols.
Additionally, describes a number of widely implemented modifications Additionally, describes a number of widely implemented modifications
to TCP's handling of ICMP error messages that help to mitigate these to TCP's handling of ICMP error messages that help to mitigate these
issues. issues.
skipping to change at page 2, line 48 skipping to change at page 2, line 48
8. Security Considerations . . . . . . . . . . . . . . . . . . . 28 8. Security Considerations . . . . . . . . . . . . . . . . . . . 28
9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 28 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 28
10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 29 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 29
10.1. Normative References . . . . . . . . . . . . . . . . . . . 29 10.1. Normative References . . . . . . . . . . . . . . . . . . . 29
10.2. Informative References . . . . . . . . . . . . . . . . . . 29 10.2. Informative References . . . . . . . . . . . . . . . . . . 29
Appendix A. An analysis of ICMP hard errors . . . . . . . . . . . 32 Appendix A. An analysis of ICMP hard errors . . . . . . . . . . . 32
Appendix B. Advice and guidance to vendors . . . . . . . . . . . 33 Appendix B. Advice and guidance to vendors . . . . . . . . . . . 33
Appendix C. Changes from previous versions of the draft (to Appendix C. Changes from previous versions of the draft (to
be removed by the RFC Editor before publishing be removed by the RFC Editor before publishing
this document as an RFC) . . . . . . . . . . . . . . 33 this document as an RFC) . . . . . . . . . . . . . . 33
C.1. Changes from draft-ietf-tcpm-icmp-attacks-02 . . . . . . . 33 C.1. Changes from draft-ietf-tcpm-icmp-attacks-03 . . . . . . . 33
C.2. Changes from draft-ietf-tcpm-icmp-attacks-01 . . . . . . . 34 C.2. Changes from draft-ietf-tcpm-icmp-attacks-02 . . . . . . . 34
C.3. Changes from draft-ietf-tcpm-icmp-attacks-00 . . . . . . . 34 C.3. Changes from draft-ietf-tcpm-icmp-attacks-01 . . . . . . . 34
C.4. Changes from draft-gont-tcpm-icmp-attacks-05 . . . . . . . 35 C.4. Changes from draft-ietf-tcpm-icmp-attacks-00 . . . . . . . 34
C.5. Changes from draft-gont-tcpm-icmp-attacks-04 . . . . . . . 35 C.5. Changes from draft-gont-tcpm-icmp-attacks-05 . . . . . . . 35
C.6. Changes from draft-gont-tcpm-icmp-attacks-03 . . . . . . . 35 C.6. Changes from draft-gont-tcpm-icmp-attacks-04 . . . . . . . 35
C.7. Changes from draft-gont-tcpm-icmp-attacks-02 . . . . . . . 35 C.7. Changes from draft-gont-tcpm-icmp-attacks-03 . . . . . . . 35
C.8. Changes from draft-gont-tcpm-icmp-attacks-01 . . . . . . . 36 C.8. Changes from draft-gont-tcpm-icmp-attacks-02 . . . . . . . 36
C.9. Changes from draft-gont-tcpm-icmp-attacks-00 . . . . . . . 36 C.9. Changes from draft-gont-tcpm-icmp-attacks-01 . . . . . . . 36
C.10. Changes from draft-gont-tcpm-icmp-attacks-00 . . . . . . . 36
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 36 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 36
Intellectual Property and Copyright Statements . . . . . . . . . . 38 Intellectual Property and Copyright Statements . . . . . . . . . . 38
1. Introduction 1. Introduction
ICMP [RFC0792] is a fundamental part of the TCP/IP protocol suite, ICMP [RFC0792] is a fundamental part of the TCP/IP protocol suite,
and is used mainly for reporting network error conditions. However, and is used mainly for reporting network error conditions. However,
the current specifications do not recommend any kind of validation the current specifications do not recommend any kind of validation
checks on the received ICMP error messages, thus allowing variety of checks on the received ICMP error messages, thus allowing variety of
attacks against TCP [RFC0793] by means of ICMP, which include blind attacks against TCP [RFC0793] by means of ICMP, which include blind
skipping to change at page 4, line 39 skipping to change at page 4, line 39
It is clear that implementations should be more cautious when It is clear that implementations should be more cautious when
processing ICMP error messages, to eliminate or mitigate the use of processing ICMP error messages, to eliminate or mitigate the use of
ICMP to perform attacks against TCP [RFC4907]. ICMP to perform attacks against TCP [RFC4907].
This document aims to raise awareness of the use of ICMP to perform a This document aims to raise awareness of the use of ICMP to perform a
variety of attacks against TCP, and discusses several counter- variety of attacks against TCP, and discusses several counter-
measures that eliminate or minimize the impact of these attacks. measures that eliminate or minimize the impact of these attacks.
Most of the these counter-measures can be implemented while still Most of the these counter-measures can be implemented while still
remaining compliant with the current specifications, as they simply remaining compliant with the current specifications, as they simply
suggest reasons for not taking the advice provided in the describe reasons for not taking the advice provided in the
specifications in terms of "SHOULDs", but still comply with the specifications in terms of "SHOULDs", but still comply with the
requirements stated as "MUSTs". requirements stated as "MUSTs".
Section 2 provides background information on ICMP. Section 3 Section 2 provides background information on ICMP. Section 3
discusses the constraints in the general counter-measures that can be discusses the constraints in the general counter-measures that can be
implemented against the attacks described in this document. implemented against the attacks described in this document.
Section 4 proposes several general validation checks that can be Section 4 proposes several general validation checks that can be
implemented to mitigate any ICMP-based attack. Finally, Section 5, implemented to mitigate any ICMP-based attack. Finally, Section 5,
Section 6, and Section 7, discuss a variety of ICMP attacks that can Section 6, and Section 7, discuss a variety of ICMP attacks that can
be performed against TCP, and propose attack-specific counter- be performed against TCP, and propose attack-specific counter-
skipping to change at page 29, line 51 skipping to change at page 29, line 51
10.2. Informative References 10.2. Informative References
[DClark] Clark, D., "The Design Philosophy of the DARPA Internet [DClark] Clark, D., "The Design Philosophy of the DARPA Internet
Protocols", Computer Communication Review Vol. 18, No. 4, Protocols", Computer Communication Review Vol. 18, No. 4,
1988. 1988.
[FreeBSD] The FreeBSD Project, "http://www.freebsd.org". [FreeBSD] The FreeBSD Project, "http://www.freebsd.org".
[I-D.ietf-tcpm-tcp-soft-errors] [I-D.ietf-tcpm-tcp-soft-errors]
Gont, F., "TCP's Reaction to Soft Errors", Gont, F., "TCP's Reaction to Soft Errors",
draft-ietf-tcpm-tcp-soft-errors-07 (work in progress), draft-ietf-tcpm-tcp-soft-errors-08 (work in progress),
December 2007. April 2008.
[I-D.ietf-tcpm-tcpsecure] [I-D.ietf-tcpm-tcpsecure]
Ramaiah, A., "Improving TCP's Robustness to Blind In- Ramaiah, A., Stewart, R., and M. Dalal, "Improving TCP's
Window Attacks", draft-ietf-tcpm-tcpsecure-09 (work in Robustness to Blind In-Window Attacks",
progress), January 2008. draft-ietf-tcpm-tcpsecure-10 (work in progress),
July 2008.
[I-D.ietf-tsvwg-port-randomization] [I-D.ietf-tsvwg-port-randomization]
Larsen, M. and F. Gont, "Port Randomization", Larsen, M. and F. Gont, "Port Randomization",
draft-ietf-tsvwg-port-randomization-01 (work in progress), draft-ietf-tsvwg-port-randomization-02 (work in progress),
February 2008. August 2008.
[ICMP-Filtering] [ICMP-Filtering]
Gont, F., "Filtering of ICMP error messages", http:// Gont, F., "Filtering of ICMP error messages", http://
www.gont.com.ar/papers/ www.gont.com.ar/papers/
filtering-of-icmp-error-messages.pdf. filtering-of-icmp-error-messages.pdf.
[IP-filtering] [IP-filtering]
NISCC, "NISCC Technical Note 01/2006: Egress and Ingress NISCC, "NISCC Technical Note 01/2006: Egress and Ingress
Filtering", http://www.niscc.gov.uk/niscc/docs/ Filtering", http://www.niscc.gov.uk/niscc/docs/
re-20060420-00294.pdf?lang=en, 2006. re-20060420-00294.pdf?lang=en, 2006.
skipping to change at page 33, line 46 skipping to change at page 33, line 46
vulnerabilities and potential threats to IT systems especially where vulnerabilities and potential threats to IT systems especially where
they may have an impact on Critical National Infrastructure's (CNI). they may have an impact on Critical National Infrastructure's (CNI).
Other ways to contact CPNI, plus CPNI's PGP public key, are available Other ways to contact CPNI, plus CPNI's PGP public key, are available
at http://www.cpni.gov.uk . at http://www.cpni.gov.uk .
Appendix C. Changes from previous versions of the draft (to be removed Appendix C. Changes from previous versions of the draft (to be removed
by the RFC Editor before publishing this document as an by the RFC Editor before publishing this document as an
RFC) RFC)
C.1. Changes from draft-ietf-tcpm-icmp-attacks-02 C.1. Changes from draft-ietf-tcpm-icmp-attacks-03
o The draft had expired and thus is resubmitted with no further
changes.
C.2. Changes from draft-ietf-tcpm-icmp-attacks-02
o Added a disclaimer to indicate that this document does not update o Added a disclaimer to indicate that this document does not update
the current specifications. the current specifications.
o Addresses feedback sent off-list by Alfred Hoenes. o Addresses feedback sent off-list by Alfred Hoenes.
o The text (particulary that which describes the counter-measures) o The text (particulary that which describes the counter-measures)
was reworded to document what current implementations are doing, was reworded to document what current implementations are doing,
rather than "proposing" the implementation of the counter- rather than "proposing" the implementation of the counter-
measures. measures.
o Some text has been removed: we're just documenting the problem, o Some text has been removed: we're just documenting the problem,
and what existing implementations have done. and what existing implementations have done.
o Miscelaneous editorial changes. o Miscelaneous editorial changes.
C.2. Changes from draft-ietf-tcpm-icmp-attacks-01 C.3. Changes from draft-ietf-tcpm-icmp-attacks-01
o Fixed references to the antispoof documents (were hardcoded and o Fixed references to the antispoof documents (were hardcoded and
missing in the References Section). missing in the References Section).
o The draft had expired and thus is resubmitted with no further o The draft had expired and thus is resubmitted with only a minor
changes. editorial change.
C.3. Changes from draft-ietf-tcpm-icmp-attacks-00 C.4. Changes from draft-ietf-tcpm-icmp-attacks-00
o Added references to the specific sections of each of the o Added references to the specific sections of each of the
referenced specifications referenced specifications
o Corrected the threat analysys o Corrected the threat analysys
o Added clarification about whether the counter-measures violate the o Added clarification about whether the counter-measures violate the
current specifications or not. current specifications or not.
o Changed text so that the document fits better in the Informational o Changed text so that the document fits better in the Informational
skipping to change at page 34, line 46 skipping to change at page 35, line 4
o Changed text so that the document fits better in the Informational o Changed text so that the document fits better in the Informational
path path
o Added a specific section on IPsec (Section 2.3) o Added a specific section on IPsec (Section 2.3)
o Added clarification and references on the use of ICMP filtering o Added clarification and references on the use of ICMP filtering
based on the ICMP payload based on the ICMP payload
o Updated references to obsoleted RFCs o Updated references to obsoleted RFCs
o Added a discussion of multipath scenarios, and possible lose in o Added a discussion of multipath scenarios, and possible lose in
responsiveness resulting from the reaction to hard errors as soft responsiveness resulting from the reaction to hard errors as soft
errors errors
o Miscellaneous editorial changes o Miscellaneous editorial changes
C.4. Changes from draft-gont-tcpm-icmp-attacks-05 C.5. Changes from draft-gont-tcpm-icmp-attacks-05
o Removed RFC 2119 wording to make the draft suitable for o Removed RFC 2119 wording to make the draft suitable for
publication as an Informational RFC. publication as an Informational RFC.
o Added additional checks that should be performed on ICMP error o Added additional checks that should be performed on ICMP error
messages (checksum of the IP header in the ICMP payload, and messages (checksum of the IP header in the ICMP payload, and
others). others).
o Added clarification of the rationale behind each the TCP SEQ check o Added clarification of the rationale behind each the TCP SEQ check
o Miscellaneous editorial changes o Miscellaneous editorial changes
C.5. Changes from draft-gont-tcpm-icmp-attacks-04 C.6. Changes from draft-gont-tcpm-icmp-attacks-04
o Added section on additional considerations for validating ICMP o Added section on additional considerations for validating ICMP
error messages error messages
o Added reference to (draft) [RFC4907] o Added reference to (draft) [RFC4907]
o Added stress on the fact that ICMP error messages are unreliable o Added stress on the fact that ICMP error messages are unreliable
o Miscellaneous editorial changes o Miscellaneous editorial changes
C.6. Changes from draft-gont-tcpm-icmp-attacks-03 C.7. Changes from draft-gont-tcpm-icmp-attacks-03
o Added references to existing implementations of the proposed o Added references to existing implementations of the proposed
counter-measures counter-measures
o The discussion in Section 4 was improved o The discussion in Section 4 was improved
o The discussion of the blind connection-reset vulnerability was o The discussion of the blind connection-reset vulnerability was
expanded and improved expanded and improved
o The proposed counter-measure for the attack against the PMTUD was o The proposed counter-measure for the attack against the PMTUD was
improved and simplified improved and simplified
o Section 7.4 was added o Section 7.4 was added
o Miscellaneous editorial changes o Miscellaneous editorial changes
C.7. Changes from draft-gont-tcpm-icmp-attacks-02 C.8. Changes from draft-gont-tcpm-icmp-attacks-02
o Fixed errors in in the discussion of the blind connection-reset o Fixed errors in in the discussion of the blind connection-reset
attack attack
o The proposed counter-measure for the attack against the PMTUD o The proposed counter-measure for the attack against the PMTUD
mechanism was refined to allow quick discovery of the Path-MTU mechanism was refined to allow quick discovery of the Path-MTU
o Section 7.3 was added so as to clarify the operation of the o Section 7.3 was added so as to clarify the operation of the
counter-measure for the attack against the PMTUD mechanism counter-measure for the attack against the PMTUD mechanism
o Added Appendix B o Added Appendix B
o Miscellaneous editorial changes o Miscellaneous editorial changes
skipping to change at page 36, line 14 skipping to change at page 36, line 20
o The proposed counter-measure for the attack against the PMTUD o The proposed counter-measure for the attack against the PMTUD
mechanism was refined to allow quick discovery of the Path-MTU mechanism was refined to allow quick discovery of the Path-MTU
o Section 7.3 was added so as to clarify the operation of the o Section 7.3 was added so as to clarify the operation of the
counter-measure for the attack against the PMTUD mechanism counter-measure for the attack against the PMTUD mechanism
o Added Appendix B o Added Appendix B
o Miscellaneous editorial changes o Miscellaneous editorial changes
C.8. Changes from draft-gont-tcpm-icmp-attacks-01 C.9. Changes from draft-gont-tcpm-icmp-attacks-01
o The document was restructured for easier reading o The document was restructured for easier reading
o A discussion of ICMPv6 was added in several sections of the o A discussion of ICMPv6 was added in several sections of the
document document
o Added Section on Acknowledgement number checking o Added Section on Acknowledgement number checking
o Added Section 4.3 o Added Section 4.3
o Added Section 7 o Added Section 7
o Fixed typo in the ICMP types, in several places o Fixed typo in the ICMP types, in several places
o Fixed typo in the TCP sequence number check formula o Fixed typo in the TCP sequence number check formula
o Miscellaneous editorial changes o Miscellaneous editorial changes
C.9. Changes from draft-gont-tcpm-icmp-attacks-00 C.10. Changes from draft-gont-tcpm-icmp-attacks-00
o Added a proposal to change the handling of the so-called ICMP hard o Added a proposal to change the handling of the so-called ICMP hard
errors during the synchronized states errors during the synchronized states
o Added a summary of the relevant RFCs in several sections o Added a summary of the relevant RFCs in several sections
o Miscellaneous editorial changes o Miscellaneous editorial changes
Author's Address Author's Address
 End of changes. 21 change blocks. 
32 lines changed or deleted 40 lines changed or added

This html diff was produced by rfcdiff 1.35. The latest version is available from http://tools.ietf.org/tools/rfcdiff/