[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Ipsec] new ICMP text for 2401bis
Tero,
Yes, diagrams to explain which ICMP flows we're talking about are
tricky to construct. We'll give it a shot, but a table to eplain the
flows will be needed.
>What happens if it is configured that way? It does not tell that
>either... Perhaps it should say:
>
>----------------------------------------------------------------------
>If an IPsec implementation is configure to pass ICMP error packets
>over SAs based on the ICMP header values, without checking the header
>infor from the ICMP packet payload, then the attackers can cause DoS
>attacks by sending the ICMP packets through the SGW to the other end,
>just like they could if the hosts would be on the same network.
>----------------------------------------------------------------------
Yes, we can include text along these lines in the security
considerations section to explain the dangers of configuring SAs that
allow transmission of ICMP error messages to skip checking the
payload.
>
>> >> For example, a tunnel may be created between two sites that uses ANY
>> >> for protocol and port fields and IP address ranges that encompass
>> >> all systems behind the security gateways serving each site. In such
>> >> cases, the hosts behind the security gateways will be vulnerable to
>> >> DoS attacks that might be launched by other peers with which there
>> >> are active SAs.
>> >
>> >Perhaps we should describe the situation more here?
>> suggestions?
>
>Hmmm.. not really, but remembering the items raised in the IESG to the
>UDP encapsulation draft, they always wanted to see the real attacks,
>not just text saying there are some attacks.
OK, we can add an "e.g.," and give examples of the sorts of DoS
attacks that can result.
>Perhaps it is just enough to say that the attacker can do all same
>attacks with ICMP messages, it could if it would be on the same
>network (including faking the header and contained payload IP
>addresses).
>
>> >BTW, what about the old PMTU text? Do we copy the old RFC2401 PMTU/DF
>> >processing stuff from there (section 6 and appendix B)?
>> Yes, Karen has not yet added back the PMTU text.
>
>After we have this ICMP and that PMTU text done, we should be ready...
>I do not know anything else missing...
Always nice to hear "we're almost done" feedback :-)
Steve
_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec