Hi Brian, > -----Original Message----- > From: Brian Haberman [mailto:[email protected]] > Sent: Friday, May 15, 2015 4:58 AM > To: Ronald Bonica; Kathleen Moriarty; Templin, Fred L > Cc: Suresh Krishnan; [email protected]; [email protected]; > [email protected]; draft-ietf-intarea- > [email protected]; The IESG; [email protected] > Subject: Re: Kathleen Moriarty's Discuss on draft-ietf-intarea-gre-mtu-04: > (with DISCUSS) > > Hi Kathleen, > > On 5/14/15 9:49 PM, Ronald Bonica wrote: > > Hi Kathleen, > > > > Thanks, I will post an updated version of the draft. > > > > Regarding Fred’s question, an attacker can send ICMP PTB to the GRE > > ingress node. When this happens, the GRE ingress node’s estimation of > > the PMTU and GMTU become inaccurate. That is why the draft says: > > > > “PMTU Discovery is vulnerable to two denial of service attacks (see > > Section 8 of [RFC1191] for details). Both attacks are based upon on a > > malicious party sending forged ICMPv4 Destination Unreachable or > > ICMPv6 Packet Too Big messages to a host. In the first attack, the > > forged message indicates an inordinately small PMTU. In the second > > attack, the forged message indicates an inordinately large MTU. In > > both cases, throughput is adversely affected. On order to mitigate > > such attacks, GRE implementations include a configuration option to > > disable PMTU discovery on GRE tunnels. Also, they can include a > > configuration option that conditions the behavior of PMTUD to > > establish a minimum PMTU.” > > The problem with Fred's question is that it is a well-known > vulnerability of ICMP in general and has a much broader impact than just > fragmentation and GRE (i.e., this draft). Additionally, I have no idea > why Fred thinks an "insider attack" is any more of an issue than an > arbitrary attack.
If the original source, ingress and egress are all within the same well managed administrative domain, then it would be very advantageous to use PMTUD instead of probing and/or fragmentation since issues such as ICMP message loss, multipath and in-the-network fragmentation are mitigated. But, if source address spoofing is possible within the administrative domain, then there is opportunity for an insider attack to disrupt systems that rely on PMTUD. A fix would be to have the draft mention the ability to spoof source addresses as a necessary precondition to sustained PTB message attacks, since attackers that use legitimate source addresses can be traced. And, the mitigation is for the administrative domain to employ ingress filtering. Thanks - Fred fred.l.templin@boeing,com > Regards, > Brian > _______________________________________________ Int-area mailing list [email protected] https://www.ietf.org/mailman/listinfo/int-area
