draft-ietf-tcpm-icmp-attacks-10.txt   draft-ietf-tcpm-icmp-attacks-11.txt 
TCP Maintenance and Minor F. Gont TCP Maintenance and Minor F. Gont
Extensions (tcpm) UTN/FRH Extensions (tcpm) UTN/FRH
Internet-Draft January 30, 2010 Internet-Draft February 25, 2010
Intended status: Informational Intended status: Informational
Expires: August 3, 2010 Expires: August 29, 2010
ICMP attacks against TCP ICMP attacks against TCP
draft-ietf-tcpm-icmp-attacks-10.txt draft-ietf-tcpm-icmp-attacks-11.txt
Abstract Abstract
This document discusses the use of the Internet Control Message This document discusses the use of the Internet Control Message
Protocol (ICMP) to perform a variety of attacks against the Protocol (ICMP) to perform a variety of attacks against the
Transmission Control Protocol (TCP). Additionally, describes a Transmission Control Protocol (TCP). Additionally, describes a
number of widely implemented modifications to TCP's handling of ICMP number of widely implemented modifications to TCP's handling of ICMP
error messages that help to mitigate these issues. error messages that help to mitigate these issues.
Status of this Memo Status of this Memo
skipping to change at page 1, line 41 skipping to change at page 1, line 41
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on August 3, 2010. This Internet-Draft will expire on August 29, 2010.
Copyright Notice Copyright Notice
Copyright (c) 2010 IETF Trust and the persons identified as the Copyright (c) 2010 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 3, line 47 skipping to change at page 3, line 47
performance-degrading attack . . . . . . . . . . . . . . . 27 performance-degrading attack . . . . . . . . . . . . . . . 27
8. Security Considerations . . . . . . . . . . . . . . . . . . . 30 8. Security Considerations . . . . . . . . . . . . . . . . . . . 30
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 31 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 31
10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 31 10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 31
11. References . . . . . . . . . . . . . . . . . . . . . . . . . . 32 11. References . . . . . . . . . . . . . . . . . . . . . . . . . . 32
11.1. Normative References . . . . . . . . . . . . . . . . . . . 32 11.1. Normative References . . . . . . . . . . . . . . . . . . . 32
11.2. Informative References . . . . . . . . . . . . . . . . . . 33 11.2. Informative References . . . . . . . . . . . . . . . . . . 33
Appendix A. Changes from previous versions of the draft (to Appendix A. Changes from previous versions of the draft (to
be removed by the RFC Editor before publishing be removed by the RFC Editor before publishing
this document as an RFC) . . . . . . . . . . . . . . 35 this document as an RFC) . . . . . . . . . . . . . . 35
A.1. Changes from draft-ietf-tcpm-icmp-attacks-09 . . . . . . . 35 A.1. Changes from draft-ietf-tcpm-icmp-attacks-10 . . . . . . . 35
A.2. Changes from draft-ietf-tcpm-icmp-attacks-08 . . . . . . . 36 A.2. Changes from draft-ietf-tcpm-icmp-attacks-09 . . . . . . . 36
A.3. Changes from draft-ietf-tcpm-icmp-attacks-07 . . . . . . . 36 A.3. Changes from draft-ietf-tcpm-icmp-attacks-08 . . . . . . . 36
A.4. Changes from draft-ietf-tcpm-icmp-attacks-06 . . . . . . . 36 A.4. Changes from draft-ietf-tcpm-icmp-attacks-07 . . . . . . . 36
A.5. Changes from draft-ietf-tcpm-icmp-attacks-05 . . . . . . . 36 A.5. Changes from draft-ietf-tcpm-icmp-attacks-06 . . . . . . . 36
A.6. Changes from draft-ietf-tcpm-icmp-attacks-04 . . . . . . . 36 A.6. Changes from draft-ietf-tcpm-icmp-attacks-05 . . . . . . . 36
A.7. Changes from draft-ietf-tcpm-icmp-attacks-03 . . . . . . . 36 A.7. Changes from draft-ietf-tcpm-icmp-attacks-04 . . . . . . . 36
A.8. Changes from draft-ietf-tcpm-icmp-attacks-02 . . . . . . . 36 A.8. Changes from draft-ietf-tcpm-icmp-attacks-03 . . . . . . . 36
A.9. Changes from draft-ietf-tcpm-icmp-attacks-01 . . . . . . . 37 A.9. Changes from draft-ietf-tcpm-icmp-attacks-02 . . . . . . . 36
A.10. Changes from draft-ietf-tcpm-icmp-attacks-00 . . . . . . . 37 A.10. Changes from draft-ietf-tcpm-icmp-attacks-01 . . . . . . . 37
A.11. Changes from draft-gont-tcpm-icmp-attacks-05 . . . . . . . 37 A.11. Changes from draft-ietf-tcpm-icmp-attacks-00 . . . . . . . 37
A.12. Changes from draft-gont-tcpm-icmp-attacks-04 . . . . . . . 38 A.12. Changes from draft-gont-tcpm-icmp-attacks-05 . . . . . . . 37
A.13. Changes from draft-gont-tcpm-icmp-attacks-03 . . . . . . . 38 A.13. Changes from draft-gont-tcpm-icmp-attacks-04 . . . . . . . 38
A.14. Changes from draft-gont-tcpm-icmp-attacks-02 . . . . . . . 38 A.14. Changes from draft-gont-tcpm-icmp-attacks-03 . . . . . . . 38
A.15. Changes from draft-gont-tcpm-icmp-attacks-01 . . . . . . . 39 A.15. Changes from draft-gont-tcpm-icmp-attacks-02 . . . . . . . 38
A.16. Changes from draft-gont-tcpm-icmp-attacks-00 . . . . . . . 39 A.16. Changes from draft-gont-tcpm-icmp-attacks-01 . . . . . . . 39
A.17. Changes from draft-gont-tcpm-icmp-attacks-00 . . . . . . . 39
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 39 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 39
1. Introduction 1. Introduction
ICMP [RFC0792] is a fundamental part of the TCP/IP protocol suite, ICMP [RFC0792] is a fundamental part of the TCP/IP protocol suite,
and is used mainly for reporting network error conditions. However, and is used mainly for reporting network error conditions. However,
the current specifications do not recommend any kind of validation the current specifications do not recommend any kind of validation
checks on the received ICMP error messages, thus allowing variety of checks on the received ICMP error messages, thus allowing variety of
attacks against TCP [RFC0793] by means of ICMP, which include blind attacks against TCP [RFC0793] by means of ICMP, which include blind
connection-reset, blind throughput-reduction, and blind performance- connection-reset, blind throughput-reduction, and blind performance-
skipping to change at page 18, line 51 skipping to change at page 18, line 51
attacked system to send a single byte of application data without attacked system to send a single byte of application data without
fragmentation. This particular scenario might lead to unpredictable fragmentation. This particular scenario might lead to unpredictable
results. Another possible scenario is that in which a TCP connection results. Another possible scenario is that in which a TCP connection
is being secured by means of IPsec. If the Next-Hop MTU reported by is being secured by means of IPsec. If the Next-Hop MTU reported by
the attacker is smaller than the amount of bytes needed for headers the attacker is smaller than the amount of bytes needed for headers
(IP and IPsec, in this case), the assumed Path-MTU will not even (IP and IPsec, in this case), the assumed Path-MTU will not even
allow the attacked system to send a single byte of the TCP header allow the attacked system to send a single byte of the TCP header
without fragmentation. This is another scenario that may lead to without fragmentation. This is another scenario that may lead to
unpredictable results. unpredictable results.
For IPv4, the reported Next-Hop MTU could be as low as 68 octets, as For IPv4, the reported Next-Hop MTU could be as small as 68 octets,
as [RFC0791] requires every internet module to be able to forward a
[RFC0791] requires every internet module to be able to forward a datagram of 68 octets without further fragmentation. For IPv6, while
datagram of 68 octets without further fragmentation. For IPv6, the the required minimum IPv6 MTU is 1280, the reported Next-Hop MTU can
reported Next-Hop MTU could be as low as 1280 octets (the minimum be smaller than 1280 octets [RFC2460]. If the reported Next-Hop MTU
IPv6 MTU) [RFC2460]. is smaller than the minimum IPv6 MTU, the receiving host is not
required to reduce the Path-MTU to a value smaller than 1280, but is
required to include a fragmentation header in the outgoing packets to
that destination from that moment on.
7.2. Attack-specific counter-measures 7.2. Attack-specific counter-measures
The IETF has standardized a Path-MTU Discovery mechanism called The IETF has standardized a Path-MTU Discovery mechanism called
"Packetization Layer Path MTU Discovery" that does not depend on ICMP "Packetization Layer Path MTU Discovery" that does not depend on ICMP
error messages. Implementation of the aforementioned mechanism in error messages. Implementation of the aforementioned mechanism in
replacement of the traditional PMTUD (specified in [RFC1191] and replacement of the traditional PMTUD (specified in [RFC1191] and
[RFC1981]) eliminates this vulnerability. However, it can also lead [RFC1981]) eliminates this vulnerability. However, it can also lead
to an increase of the PMTUD convergence time. to an increase of the PMTUD convergence time.
skipping to change at page 25, line 8 skipping to change at page 25, line 8
discovered to be 1500. At this point, both maxsizesent and discovered to be 1500. At this point, both maxsizesent and
maxsizeacked are equal to 1500, and nsegrto is equal to 0. Suppose maxsizeacked are equal to 1500, and nsegrto is equal to 0. Suppose
some time later the PMTU decreases to 1492. For simplicity, let us some time later the PMTU decreases to 1492. For simplicity, let us
suppose that the Path-MTU has decreased because the MTU of the link suppose that the Path-MTU has decreased because the MTU of the link
between R2 and R3 has decreased from 1500 to 1492. Figure 3 between R2 and R3 has decreased from 1500 to 1492. Figure 3
illustrates how the counter-measure would work in this scenario. illustrates how the counter-measure would work in this scenario.
Host 1 Host 2 Host 1 Host 2
1. (Path-MTU decreases) 1. (Path-MTU decreases)
2. --> <SEQ=100><ACK=X><CTL=ACK><DATA=1500> --> 2. --> <SEQ=100><ACK=X><CTL=ACK><DATA=1460> -->
3. <--- ICMP "Packet Too Big" MTU=1492, TCPseq#=100 <--- R2 3. <--- ICMP "Packet Too Big" MTU=1492, TCPseq#=100 <--- R2
4. (Segment times out) 4. (Segment times out)
5. --> <SEQ=100><ACK=X><CTL=ACK><DATA=1452> --> 5. --> <SEQ=100><ACK=X><CTL=ACK><DATA=1452> -->
6. <-- <SEQ=X><ACK=1552><CTL=ACK> <-- 6. <-- <SEQ=X><ACK=1552><CTL=ACK> <--
Figure 3: Operation during Path-MTU changes Figure 3: Operation during Path-MTU changes
In line 1, the Path-MTU for this connection decreases from 1500 to In line 1, the Path-MTU for this connection decreases from 1500 to
1492. In line 2, the TCP at H1, without being aware of the Path-MTU 1492. In line 2, the TCP at H1, without being aware of the Path-MTU
change, sends a 1500-byte packet to H2. When the packet reaches R2, change, sends a 1500-byte packet to H2. When the packet reaches R2,
skipping to change at page 27, line 32 skipping to change at page 27, line 32
Host 1 Host 2 Host 1 Host 2
1. --> <SEQ=100><CTL=SYN> --> 1. --> <SEQ=100><CTL=SYN> -->
2. <-- <SEQ=X><ACK=101><CTL=SYN,ACK> <-- 2. <-- <SEQ=X><ACK=101><CTL=SYN,ACK> <--
3. --> <SEQ=101><ACK=X+1><CTL=ACK> --> 3. --> <SEQ=101><ACK=X+1><CTL=ACK> -->
4. --> <SEQ=101><ACK=X+1><CTL=ACK><DATA=100> --> 4. --> <SEQ=101><ACK=X+1><CTL=ACK><DATA=100> -->
5. <-- <SEQ=X+1><ACK=201><CTL=ACK> <-- 5. <-- <SEQ=X+1><ACK=201><CTL=ACK> <--
6. --> <SEQ=201><ACK=X+1><CTL=ACK><DATA=100> --> 6. --> <SEQ=201><ACK=X+1><CTL=ACK><DATA=100> -->
7. --> <SEQ=301><ACK=X+1><CTL=ACK><DATA=100> --> 7. --> <SEQ=301><ACK=X+1><CTL=ACK><DATA=100> -->
8. <--- ICMP "Packet Too Big" MTU=150, TCPseq#=101 <--- 8. <--- ICMP "Packet Too Big" MTU=150, TCPseq#=201 <---
Figure 6: TCP peer attacked when sending small packets just after the Figure 6: TCP peer attacked when sending small packets just after the
three-way handshake three-way handshake
nsegrto is initialized to zero. Both maxsizesent and maxsizeacked nsegrto is initialized to zero. Both maxsizesent and maxsizeacked
are initialized to the minimum MTU for the internet protocol being are initialized to the minimum MTU for the internet protocol being
used (68 for IPv4, and 1280 for IPv6). used (68 for IPv4, and 1280 for IPv6).
In lines 1 to 3 the three-way handshake takes place, and the In lines 1 to 3 the three-way handshake takes place, and the
connection is established. At this point, the assumed Path-MTU for connection is established. At this point, the assumed Path-MTU for
skipping to change at page 34, line 31 skipping to change at page 34, line 31
tn-03-09-security-assessment-TCP.pdf, 2009. tn-03-09-security-assessment-TCP.pdf, 2009.
[DClark] Clark, D., "The Design Philosophy of the DARPA Internet [DClark] Clark, D., "The Design Philosophy of the DARPA Internet
Protocols", Computer Communication Review Vol. 18, No. 4, Protocols", Computer Communication Review Vol. 18, No. 4,
1988. 1988.
[FreeBSD] The FreeBSD Project, "http://www.freebsd.org". [FreeBSD] The FreeBSD Project, "http://www.freebsd.org".
[I-D.ietf-tcpm-tcp-auth-opt] [I-D.ietf-tcpm-tcp-auth-opt]
Touch, J., Mankin, A., and R. Bonica, "The TCP Touch, J., Mankin, A., and R. Bonica, "The TCP
Authentication Option", draft-ietf-tcpm-tcp-auth-opt-08 Authentication Option", draft-ietf-tcpm-tcp-auth-opt-10
(work in progress), October 2009. (work in progress), January 2010.
[I-D.ietf-tcpm-tcp-security] [I-D.ietf-tcpm-tcp-security]
Gont, F., "Security Assessment of the Transmission Control Gont, F., "Security Assessment of the Transmission Control
Protocol (TCP)", draft-ietf-tcpm-tcp-security-00 (work in Protocol (TCP)", draft-ietf-tcpm-tcp-security-01 (work in
progress), August 2009. progress), February 2010.
[I-D.ietf-tcpm-tcpsecure] [I-D.ietf-tcpm-tcpsecure]
Ramaiah, A., Stewart, R., and M. Dalal, "Improving TCP's Ramaiah, A., Stewart, R., and M. Dalal, "Improving TCP's
Robustness to Blind In-Window Attacks", Robustness to Blind In-Window Attacks",
draft-ietf-tcpm-tcpsecure-12 (work in progress), draft-ietf-tcpm-tcpsecure-12 (work in progress),
September 2009. September 2009.
[I-D.ietf-tsvwg-port-randomization] [I-D.ietf-tsvwg-port-randomization]
Larsen, M. and F. Gont, "Port Randomization", Larsen, M. and F. Gont, "Transport Protocol Port
draft-ietf-tsvwg-port-randomization-05 (work in progress), Randomization Recommendations",
November 2009. draft-ietf-tsvwg-port-randomization-06 (work in progress),
February 2010.
[ICMP-Filtering] [ICMP-Filtering]
Gont, F., "Filtering of ICMP error messages", http:// Gont, F., "Filtering of ICMP error messages", http://
www.gont.com.ar/papers/ www.gont.com.ar/papers/
filtering-of-icmp-error-messages.pdf. filtering-of-icmp-error-messages.pdf.
[IP-filtering] [IP-filtering]
NISCC, "NISCC Technical Note 01/2006: Egress and Ingress NISCC, "NISCC Technical Note 01/2006: Egress and Ingress
Filtering", http://www.niscc.gov.uk/niscc/docs/ Filtering", http://www.niscc.gov.uk/niscc/docs/
re-20060420-00294.pdf?lang=en, 2006. re-20060420-00294.pdf?lang=en, 2006.
skipping to change at page 36, line 44 skipping to change at page 36, line 45
[Watson] Watson, P., "Slipping in the Window: TCP Reset Attacks", [Watson] Watson, P., "Slipping in the Window: TCP Reset Attacks",
2004 CanSecWest Conference , 2004. 2004 CanSecWest Conference , 2004.
[Wright] Wright, G. and W. Stevens, "TCP/IP Illustrated, Volume 2: [Wright] Wright, G. and W. Stevens, "TCP/IP Illustrated, Volume 2:
The Implementation", Addison-Wesley , 1994. The Implementation", Addison-Wesley , 1994.
Appendix A. Changes from previous versions of the draft (to be removed Appendix A. Changes from previous versions of the draft (to be removed
by the RFC Editor before publishing this document as an by the RFC Editor before publishing this document as an
RFC) RFC)
A.1. Changes from draft-ietf-tcpm-icmp-attacks-09 A.1. Changes from draft-ietf-tcpm-icmp-attacks-10
o Addresses IESG review comments by Magnus Westerlund and
(partially) addresses IESG review comments by Tim Polk.
A.2. Changes from draft-ietf-tcpm-icmp-attacks-09
o Addresses AD review comments by Lars Eggert (hopefully :-) ). o Addresses AD review comments by Lars Eggert (hopefully :-) ).
A.2. Changes from draft-ietf-tcpm-icmp-attacks-08 A.3. Changes from draft-ietf-tcpm-icmp-attacks-08
o Fixes a couple of nits found by... Alfred!. Thanks! (again, and o Fixes a couple of nits found by... Alfred!. Thanks! (again, and
again, and again....). again, and again....).
A.3. Changes from draft-ietf-tcpm-icmp-attacks-07 A.4. Changes from draft-ietf-tcpm-icmp-attacks-07
o Addresses some remaining WGLC feedback sent off-list by Donald o Addresses some remaining WGLC feedback sent off-list by Donald
Smith and Guillermo Gont. Smith and Guillermo Gont.
A.4. Changes from draft-ietf-tcpm-icmp-attacks-06 A.5. Changes from draft-ietf-tcpm-icmp-attacks-06
o Addresses WGLC feedback by Joe Touch and Donald Smith. o Addresses WGLC feedback by Joe Touch and Donald Smith.
A.5. Changes from draft-ietf-tcpm-icmp-attacks-05 A.6. Changes from draft-ietf-tcpm-icmp-attacks-05
o Addresses feedback submitted by Wes Eddy o Addresses feedback submitted by Wes Eddy
(http://www.ietf.org/mail-archive/web/tcpm/current/msg04573.html (http://www.ietf.org/mail-archive/web/tcpm/current/msg04573.html
and and
http://www.ietf.org/mail-archive/web/tcpm/current/msg04574.html) http://www.ietf.org/mail-archive/web/tcpm/current/msg04574.html)
and Joe Touch (on June 8th... couldn't find online ref, sorry) on and Joe Touch (on June 8th... couldn't find online ref, sorry) on
the TCPM WG mailing-list. the TCPM WG mailing-list.
A.6. Changes from draft-ietf-tcpm-icmp-attacks-04 A.7. Changes from draft-ietf-tcpm-icmp-attacks-04
o The draft had expired and thus is resubmitted with no further o The draft had expired and thus is resubmitted with no further
changes. Currently working on a rev of the document (Please send changes. Currently working on a rev of the document (Please send
feedback!). feedback!).
A.7. Changes from draft-ietf-tcpm-icmp-attacks-03 A.8. Changes from draft-ietf-tcpm-icmp-attacks-03
o The draft had expired and thus is resubmitted with no further o The draft had expired and thus is resubmitted with no further
changes. changes.
A.8. Changes from draft-ietf-tcpm-icmp-attacks-02 A.9. Changes from draft-ietf-tcpm-icmp-attacks-02
o Added a disclaimer to indicate that this document does not update o Added a disclaimer to indicate that this document does not update
the current specifications. the current specifications.
o Addresses feedback sent off-list by Alfred Hoenes. o Addresses feedback sent off-list by Alfred Hoenes.
o The text (particularly that which describes the counter-measures) o The text (particularly that which describes the counter-measures)
was reworded to document what current implementations are doing, was reworded to document what current implementations are doing,
rather than "proposing" the implementation of the counter- rather than "proposing" the implementation of the counter-
measures. measures.
o Some text has been removed: we're just documenting the problem, o Some text has been removed: we're just documenting the problem,
and what existing implementations have done. and what existing implementations have done.
o Miscellaneous editorial changes. o Miscellaneous editorial changes.
A.9. Changes from draft-ietf-tcpm-icmp-attacks-01 A.10. Changes from draft-ietf-tcpm-icmp-attacks-01
o Fixed references to the antispoof documents (were hardcoded and o Fixed references to the antispoof documents (were hardcoded and
missing in the References Section). missing in the References Section).
o The draft had expired and thus is resubmitted with only a minor o The draft had expired and thus is resubmitted with only a minor
editorial change. editorial change.
A.10. Changes from draft-ietf-tcpm-icmp-attacks-00 A.11. Changes from draft-ietf-tcpm-icmp-attacks-00
o Added references to the specific sections of each of the o Added references to the specific sections of each of the
referenced specifications referenced specifications
o Corrected the threat analysis o Corrected the threat analysis
o Added clarification about whether the counter-measures violate the o Added clarification about whether the counter-measures violate the
current specifications or not. current specifications or not.
o Changed text so that the document fits better in the Informational o Changed text so that the document fits better in the Informational
skipping to change at page 38, line 41 skipping to change at page 38, line 45
based on the ICMP payload based on the ICMP payload
o Updated references to obsoleted RFCs o Updated references to obsoleted RFCs
o Added a discussion of multipath scenarios, and possible lose in o Added a discussion of multipath scenarios, and possible lose in
responsiveness resulting from the reaction to hard errors as soft responsiveness resulting from the reaction to hard errors as soft
errors errors
o Miscellaneous editorial changes o Miscellaneous editorial changes
A.11. Changes from draft-gont-tcpm-icmp-attacks-05 A.12. Changes from draft-gont-tcpm-icmp-attacks-05
o Removed RFC 2119 wording to make the draft suitable for o Removed RFC 2119 wording to make the draft suitable for
publication as an Informational RFC. publication as an Informational RFC.
o Added additional checks that should be performed on ICMP error o Added additional checks that should be performed on ICMP error
messages (checksum of the IP header in the ICMP payload, and messages (checksum of the IP header in the ICMP payload, and
others). others).
o Added clarification of the rationale behind each the TCP SEQ check o Added clarification of the rationale behind each the TCP SEQ check
o Miscellaneous editorial changes o Miscellaneous editorial changes
A.12. Changes from draft-gont-tcpm-icmp-attacks-04 A.13. Changes from draft-gont-tcpm-icmp-attacks-04
o Added section on additional considerations for validating ICMP o Added section on additional considerations for validating ICMP
error messages error messages
o Added reference to (draft) [RFC4907] o Added reference to (draft) [RFC4907]
o Added stress on the fact that ICMP error messages are unreliable o Added stress on the fact that ICMP error messages are unreliable
o Miscellaneous editorial changes o Miscellaneous editorial changes
A.13. Changes from draft-gont-tcpm-icmp-attacks-03 A.14. Changes from draft-gont-tcpm-icmp-attacks-03
o Added references to existing implementations of the described o Added references to existing implementations of the described
counter-measures counter-measures
o The discussion in Section 4 was improved o The discussion in Section 4 was improved
o The discussion of the blind connection-reset vulnerability was o The discussion of the blind connection-reset vulnerability was
expanded and improved expanded and improved
o The counter-measure for the attack against the PMTUD was improved o The counter-measure for the attack against the PMTUD was improved
and simplified and simplified
o Section 7.4 was added o Section 7.4 was added
o Miscellaneous editorial changes o Miscellaneous editorial changes
A.14. Changes from draft-gont-tcpm-icmp-attacks-02 A.15. Changes from draft-gont-tcpm-icmp-attacks-02
o Fixed errors in in the discussion of the blind connection-reset o Fixed errors in in the discussion of the blind connection-reset
attack attack
o The counter-measure for the attack against the PMTUD mechanism was o The counter-measure for the attack against the PMTUD mechanism was
refined to allow quick discovery of the Path-MTU refined to allow quick discovery of the Path-MTU
o Section 7.3 was added so as to clarify the operation of the o Section 7.3 was added so as to clarify the operation of the
counter-measure for the attack against the PMTUD mechanism counter-measure for the attack against the PMTUD mechanism
o Added CPNI contact information. o Added CPNI contact information.
o Miscellaneous editorial changes o Miscellaneous editorial changes
A.15. Changes from draft-gont-tcpm-icmp-attacks-01 A.16. Changes from draft-gont-tcpm-icmp-attacks-01
o The document was restructured for easier reading o The document was restructured for easier reading
o A discussion of ICMPv6 was added in several sections of the o A discussion of ICMPv6 was added in several sections of the
document document
o Added Section on Acknowledgement number checking o Added Section on Acknowledgement number checking
o Added Section 4.3 o Added Section 4.3
o Added Section 7 o Added Section 7
o Fixed typo in the ICMP types, in several places o Fixed typo in the ICMP types, in several places
o Fixed typo in the TCP sequence number check formula o Fixed typo in the TCP sequence number check formula
o Miscellaneous editorial changes o Miscellaneous editorial changes
A.16. Changes from draft-gont-tcpm-icmp-attacks-00 A.17. Changes from draft-gont-tcpm-icmp-attacks-00
o Added a proposal to change the handling of the so-called ICMP hard o Added a proposal to change the handling of the so-called ICMP hard
errors during the synchronized states errors during the synchronized states
o Added a summary of the relevant RFCs in several sections o Added a summary of the relevant RFCs in several sections
o Miscellaneous editorial changes o Miscellaneous editorial changes
Author's Address Author's Address
 End of changes. 28 change blocks. 
51 lines changed or deleted 62 lines changed or added

This html diff was produced by rfcdiff 1.38. The latest version is available from http://tools.ietf.org/tools/rfcdiff/