[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Ipsec] new ICMP text for 2401bis



Tero,

Yes, diagrams to explain which ICMP flows we're talking about are 
tricky to construct.  We'll give it a shot, but a table to eplain the 
flows will be needed.


>What happens if it is configured that way? It does not tell that
>either... Perhaps it should say:
>
>----------------------------------------------------------------------
>If an IPsec implementation is configure to pass ICMP error packets
>over SAs based on the ICMP header values, without checking the header
>infor from the ICMP packet payload, then the attackers can cause DoS
>attacks by sending the ICMP packets through the SGW to the other end,
>just like they could if the hosts would be on the same network.
>----------------------------------------------------------------------

Yes, we can include text along these lines in the security 
considerations section to explain the dangers of configuring SAs that 
allow transmission of ICMP error messages to skip checking the 
payload.

>
>>  >>  For example, a tunnel may be created between two sites that uses ANY
>>  >>  for protocol and port fields and IP address ranges that encompass
>>  >>  all systems behind the security gateways serving each site. In such
>>  >>  cases, the hosts behind the security gateways will be vulnerable to
>>  >>  DoS attacks that might be launched by other peers with which there
>>  >>  are active SAs.
>>  >
>>  >Perhaps we should describe the situation more here?
>>  suggestions?
>
>Hmmm.. not really, but remembering the items raised in the IESG to the
>UDP encapsulation draft, they always wanted to see the real attacks,
>not just text saying there are some attacks.

OK, we can add an "e.g.," and give examples of the sorts of DoS 
attacks that can result.

>Perhaps it is just enough to say that the attacker can do all same
>attacks with ICMP messages, it could if it would be on the same
>network (including faking the header and contained payload IP
>addresses).
>
>>  >BTW, what about the old PMTU text? Do we copy the old RFC2401 PMTU/DF
>>  >processing stuff from there (section 6 and appendix B)?
>>  Yes, Karen has not yet added back the PMTU text.
>
>After we have this ICMP and that PMTU text done, we should be ready...
>I do not know anything else missing...

Always nice to hear "we're almost done" feedback :-)

Steve

_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec