Subject: Re: icmp patches
To: Fernando Gont <fernando@gont.com.ar>
From: Kevin Lahey <kml@patheticgeek.net>
List: tech-net
Date: 07/09/2005 18:39:28
On Sat, 09 Jul 2005 21:01:13 -0300
Fernando Gont <fernando@gont.com.ar> wrote:

> At 07:49 p.m. 09/07/2005, Kevin Lahey wrote:

> >That does seem like a clever idea, but why wouldn't the attacker just send
> >a RST instead?  I guess I'm concerned that this is delaying ICMP processing
> >when there is an easier way for an attacker to accomplish the same thing.
> 
> That of "delaying the ICMP processing" is the attack-specific 
> counter-measure for the blind performance-degrading (PMTUD) atack.
> 
> i.e., there are three attacks, and three counter-measures. Namely:

It seems obvious that we should incorporate the ICMP sequence number
checking stuff.  That's important.  I'm curious about whether we want to 
implement the rest of the stuff, even surrounded by ifdef's, before this 
draft becomes an RFC.

I haven't kept up with the work of TCPM, and perhaps someone who has
should comment on the whole thing.  Based on a brief look at the TCPM
web site, it looks like there are a number of mitigation proposals on
the table, and it might be useful to wait until there is more consensus.

That said, I'm about to be AFK for the next three days.  If I come
back from my camping trip and this patch has been committed, I'm
not gonna freak.  I just wanted to express my concerns.

Cheers,

Kevin
kml@patheticgeek.com