draft-ietf-tcpm-icmp-attacks-11.txt   draft-ietf-tcpm-icmp-attacks-12.txt 
TCP Maintenance and Minor F. Gont TCP Maintenance and Minor F. Gont
Extensions (tcpm) UTN/FRH Extensions (tcpm) UTN/FRH
Internet-Draft February 25, 2010 Internet-Draft March 30, 2010
Intended status: Informational Intended status: Informational
Expires: August 29, 2010 Expires: October 1, 2010
ICMP attacks against TCP ICMP attacks against TCP
draft-ietf-tcpm-icmp-attacks-11.txt draft-ietf-tcpm-icmp-attacks-12.txt
Abstract Abstract
This document discusses the use of the Internet Control Message This document discusses the use of the Internet Control Message
Protocol (ICMP) to perform a variety of attacks against the Protocol (ICMP) to perform a variety of attacks against the
Transmission Control Protocol (TCP). Additionally, describes a Transmission Control Protocol (TCP). Additionally, describes a
number of widely implemented modifications to TCP's handling of ICMP number of widely implemented modifications to TCP's handling of ICMP
error messages that help to mitigate these issues. error messages that help to mitigate these issues.
Status of this Memo Status of this Memo
skipping to change at page 1, line 41 skipping to change at page 1, line 41
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on August 29, 2010. This Internet-Draft will expire on October 1, 2010.
Copyright Notice Copyright Notice
Copyright (c) 2010 IETF Trust and the persons identified as the Copyright (c) 2010 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 3, line 31 skipping to change at page 3, line 31
5.2. Attack-specific counter-measures . . . . . . . . . . . . . 13 5.2. Attack-specific counter-measures . . . . . . . . . . . . . 13
6. Blind throughput-reduction attack . . . . . . . . . . . . . . 15 6. Blind throughput-reduction attack . . . . . . . . . . . . . . 15
6.1. Description . . . . . . . . . . . . . . . . . . . . . . . 15 6.1. Description . . . . . . . . . . . . . . . . . . . . . . . 15
6.2. Attack-specific counter-measures . . . . . . . . . . . . . 16 6.2. Attack-specific counter-measures . . . . . . . . . . . . . 16
7. Blind performance-degrading attack . . . . . . . . . . . . . . 16 7. Blind performance-degrading attack . . . . . . . . . . . . . . 16
7.1. Description . . . . . . . . . . . . . . . . . . . . . . . 16 7.1. Description . . . . . . . . . . . . . . . . . . . . . . . 16
7.2. Attack-specific counter-measures . . . . . . . . . . . . . 18 7.2. Attack-specific counter-measures . . . . . . . . . . . . . 18
7.3. The counter-measure for the PMTUD attack in action . . . . 21 7.3. The counter-measure for the PMTUD attack in action . . . . 21
7.3.1. Normal operation for bulk transfers . . . . . . . . . 22 7.3.1. Normal operation for bulk transfers . . . . . . . . . 22
7.3.2. Operation during Path-MTU changes . . . . . . . . . . 23 7.3.2. Operation during Path-MTU changes . . . . . . . . . . 23
7.3.3. Idle connection being attacked . . . . . . . . . . . . 24 7.3.3. Idle connection being attacked . . . . . . . . . . . . 25
7.3.4. Active connection being attacked after discovery 7.3.4. Active connection being attacked after discovery
of the Path-MTU . . . . . . . . . . . . . . . . . . . 25 of the Path-MTU . . . . . . . . . . . . . . . . . . . 25
7.3.5. TCP peer attacked when sending small packets just 7.3.5. TCP peer attacked when sending small packets just
after the three-way handshake . . . . . . . . . . . . 26 after the three-way handshake . . . . . . . . . . . . 26
7.4. Pseudo-code for the counter-measure for the blind 7.4. Pseudo-code for the counter-measure for the blind
performance-degrading attack . . . . . . . . . . . . . . . 27 performance-degrading attack . . . . . . . . . . . . . . . 27
8. Security Considerations . . . . . . . . . . . . . . . . . . . 30 8. Security Considerations . . . . . . . . . . . . . . . . . . . 31
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 31 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 32
10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 31 10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 32
11. References . . . . . . . . . . . . . . . . . . . . . . . . . . 32 11. References . . . . . . . . . . . . . . . . . . . . . . . . . . 33
11.1. Normative References . . . . . . . . . . . . . . . . . . . 32 11.1. Normative References . . . . . . . . . . . . . . . . . . . 33
11.2. Informative References . . . . . . . . . . . . . . . . . . 33 11.2. Informative References . . . . . . . . . . . . . . . . . . 33
Appendix A. Changes from previous versions of the draft (to Appendix A. Changes from previous versions of the draft (to
be removed by the RFC Editor before publishing be removed by the RFC Editor before publishing
this document as an RFC) . . . . . . . . . . . . . . 35 this document as an RFC) . . . . . . . . . . . . . . 36
A.1. Changes from draft-ietf-tcpm-icmp-attacks-10 . . . . . . . 35 A.1. Changes from draft-ietf-tcpm-icmp-attacks-10 . . . . . . . 36
A.2. Changes from draft-ietf-tcpm-icmp-attacks-09 . . . . . . . 36 A.2. Changes from draft-ietf-tcpm-icmp-attacks-09 . . . . . . . 36
A.3. Changes from draft-ietf-tcpm-icmp-attacks-08 . . . . . . . 36 A.3. Changes from draft-ietf-tcpm-icmp-attacks-08 . . . . . . . 36
A.4. Changes from draft-ietf-tcpm-icmp-attacks-07 . . . . . . . 36 A.4. Changes from draft-ietf-tcpm-icmp-attacks-07 . . . . . . . 36
A.5. Changes from draft-ietf-tcpm-icmp-attacks-06 . . . . . . . 36 A.5. Changes from draft-ietf-tcpm-icmp-attacks-06 . . . . . . . 36
A.6. Changes from draft-ietf-tcpm-icmp-attacks-05 . . . . . . . 36 A.6. Changes from draft-ietf-tcpm-icmp-attacks-05 . . . . . . . 37
A.7. Changes from draft-ietf-tcpm-icmp-attacks-04 . . . . . . . 36 A.7. Changes from draft-ietf-tcpm-icmp-attacks-04 . . . . . . . 37
A.8. Changes from draft-ietf-tcpm-icmp-attacks-03 . . . . . . . 36 A.8. Changes from draft-ietf-tcpm-icmp-attacks-03 . . . . . . . 37
A.9. Changes from draft-ietf-tcpm-icmp-attacks-02 . . . . . . . 36 A.9. Changes from draft-ietf-tcpm-icmp-attacks-02 . . . . . . . 37
A.10. Changes from draft-ietf-tcpm-icmp-attacks-01 . . . . . . . 37 A.10. Changes from draft-ietf-tcpm-icmp-attacks-01 . . . . . . . 37
A.11. Changes from draft-ietf-tcpm-icmp-attacks-00 . . . . . . . 37 A.11. Changes from draft-ietf-tcpm-icmp-attacks-00 . . . . . . . 38
A.12. Changes from draft-gont-tcpm-icmp-attacks-05 . . . . . . . 37 A.12. Changes from draft-gont-tcpm-icmp-attacks-05 . . . . . . . 38
A.13. Changes from draft-gont-tcpm-icmp-attacks-04 . . . . . . . 38 A.13. Changes from draft-gont-tcpm-icmp-attacks-04 . . . . . . . 38
A.14. Changes from draft-gont-tcpm-icmp-attacks-03 . . . . . . . 38 A.14. Changes from draft-gont-tcpm-icmp-attacks-03 . . . . . . . 39
A.15. Changes from draft-gont-tcpm-icmp-attacks-02 . . . . . . . 38 A.15. Changes from draft-gont-tcpm-icmp-attacks-02 . . . . . . . 39
A.16. Changes from draft-gont-tcpm-icmp-attacks-01 . . . . . . . 39 A.16. Changes from draft-gont-tcpm-icmp-attacks-01 . . . . . . . 39
A.17. Changes from draft-gont-tcpm-icmp-attacks-00 . . . . . . . 39 A.17. Changes from draft-gont-tcpm-icmp-attacks-00 . . . . . . . 40
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 39 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 40
1. Introduction 1. Introduction
ICMP [RFC0792] is a fundamental part of the TCP/IP protocol suite, ICMP [RFC0792] is a fundamental part of the TCP/IP protocol suite,
and is used mainly for reporting network error conditions. However, and is used mainly for reporting network error conditions. However,
the current specifications do not recommend any kind of validation the current specifications do not recommend any kind of validation
checks on the received ICMP error messages, thus allowing variety of checks on the received ICMP error messages, thus allowing variety of
attacks against TCP [RFC0793] by means of ICMP, which include blind attacks against TCP [RFC0793] by means of ICMP, which include blind
connection-reset, blind throughput-reduction, and blind performance- connection-reset, blind throughput-reduction, and blind performance-
degrading attacks. All of these attacks can be performed even being degrading attacks. All of these attacks can be performed even being
skipping to change at page 15, line 51 skipping to change at page 15, line 51
synchronized states (ESTABLISHED, FIN-WAIT-1, FIN-WAIT-2, CLOSE-WAIT, synchronized states (ESTABLISHED, FIN-WAIT-1, FIN-WAIT-2, CLOSE-WAIT,
CLOSING, LAST-ACK or TIME-WAIT) as "soft errors". That is, they do CLOSING, LAST-ACK or TIME-WAIT) as "soft errors". That is, they do
not abort the corresponding connection upon receipt of them. not abort the corresponding connection upon receipt of them.
Additionally, they do not extrapolate ICMP errors across TCP Additionally, they do not extrapolate ICMP errors across TCP
connections. This policy is based on the premise that TCP should be connections. This policy is based on the premise that TCP should be
as robust as possible. Aborting the connection would be to ignore as robust as possible. Aborting the connection would be to ignore
the valuable feature of the Internet that for many internal failures the valuable feature of the Internet that for many internal failures
it reconstructs its function without any disruption of the end points it reconstructs its function without any disruption of the end points
[RFC0816]. [RFC0816].
It should be noted that treating ICMP hard errors as soft errors for
connections in any of the synchronized states may prevent TCP from
responding quickly to a legitimate ICMP error message.
It is interesting to note that, as ICMP error messages are It is interesting to note that, as ICMP error messages are
transmitted unreliably, transport protocols should not depend on them transmitted unreliably, transport protocols should not depend on them
for correct functioning. In the event one of these messages were for correct functioning. In the event one of these messages were
legitimate, the corresponding connection would eventually time out. legitimate, the corresponding connection would eventually time out.
Also, applications may still be notified asynchronously about the Also, applications may still be notified asynchronously about the
error condition, and thus may still abort their connections on their error condition, and thus may still abort their connections on their
own if they consider it appropriate. own if they consider it appropriate.
In scenarios such as that in which an intermediate system sets the DF In scenarios such as that in which an intermediate system sets the DF
bit in the segments transmitted by a TCP that does not implement bit in the segments transmitted by a TCP that does not implement
skipping to change at page 32, line 21 skipping to change at page 32, line 51
Source Quench messages meant for TCP connections. This is in Source Quench messages meant for TCP connections. This is in
accordance with research results that indicate that ICMP Source accordance with research results that indicate that ICMP Source
Quench messages are ineffective and unfair antidote for congestion. Quench messages are ineffective and unfair antidote for congestion.
Finally, Section 7.2 describes an attack-specific countermeasure for Finally, Section 7.2 describes an attack-specific countermeasure for
the blind performance-degrading attack. It consists of the the blind performance-degrading attack. It consists of the
validation check described in Section 4.1, with a modification that validation check described in Section 4.1, with a modification that
makes TCP react to ICMP "Packet Too Big" error messages such that makes TCP react to ICMP "Packet Too Big" error messages such that
they are processed when an outstanding TCP segment times out. This they are processed when an outstanding TCP segment times out. This
countermeasures parallels the Packetization Layer Path MTU Discovery countermeasures parallels the Packetization Layer Path MTU Discovery
(PLPMTUD) mechanism [RFC4821]. (PLPMTUD) mechanism [RFC4821]. It should be noted that if this
counter-measure is implemented, in some scenarios TCP may respond
more slowly to valid ICMP "Packet Too Big" error messages.
A discussion of these and other attack vectors for performing similar A discussion of these and other attack vectors for performing similar
attacks against TCP (along with possible counter-measures) can be attacks against TCP (along with possible counter-measures) can be
found in [CPNI-TCP] and [I-D.ietf-tcpm-tcp-security]. found in [CPNI-TCP] and [I-D.ietf-tcpm-tcp-security].
9. IANA Considerations 9. IANA Considerations
This document has no actions for IANA. The RFC-Editor can remove This document has no actions for IANA. The RFC-Editor can remove
this section before publication of this document as an RFC. this section before publication of this document as an RFC.
skipping to change at page 34, line 31 skipping to change at page 35, line 13
tn-03-09-security-assessment-TCP.pdf, 2009. tn-03-09-security-assessment-TCP.pdf, 2009.
[DClark] Clark, D., "The Design Philosophy of the DARPA Internet [DClark] Clark, D., "The Design Philosophy of the DARPA Internet
Protocols", Computer Communication Review Vol. 18, No. 4, Protocols", Computer Communication Review Vol. 18, No. 4,
1988. 1988.
[FreeBSD] The FreeBSD Project, "http://www.freebsd.org". [FreeBSD] The FreeBSD Project, "http://www.freebsd.org".
[I-D.ietf-tcpm-tcp-auth-opt] [I-D.ietf-tcpm-tcp-auth-opt]
Touch, J., Mankin, A., and R. Bonica, "The TCP Touch, J., Mankin, A., and R. Bonica, "The TCP
Authentication Option", draft-ietf-tcpm-tcp-auth-opt-10 Authentication Option", draft-ietf-tcpm-tcp-auth-opt-11
(work in progress), January 2010. (work in progress), March 2010.
[I-D.ietf-tcpm-tcp-security] [I-D.ietf-tcpm-tcp-security]
Gont, F., "Security Assessment of the Transmission Control Gont, F., "Security Assessment of the Transmission Control
Protocol (TCP)", draft-ietf-tcpm-tcp-security-01 (work in Protocol (TCP)", draft-ietf-tcpm-tcp-security-01 (work in
progress), February 2010. progress), February 2010.
[I-D.ietf-tcpm-tcpsecure] [I-D.ietf-tcpm-tcpsecure]
Ramaiah, A., Stewart, R., and M. Dalal, "Improving TCP's Ramaiah, A., Stewart, R., and M. Dalal, "Improving TCP's
Robustness to Blind In-Window Attacks", Robustness to Blind In-Window Attacks",
draft-ietf-tcpm-tcpsecure-12 (work in progress), draft-ietf-tcpm-tcpsecure-12 (work in progress),
 End of changes. 14 change blocks. 
25 lines changed or deleted 31 lines changed or added

This html diff was produced by rfcdiff 1.38. The latest version is available from http://tools.ietf.org/tools/rfcdiff/