Fred, > On May 15, 2015, at 10:39 AM, Templin, Fred L <[email protected]> > wrote: > > Hi Brian, > >> -----Original Message----- >> From: Brian Haberman [mailto:[email protected]] >> Sent: Friday, May 15, 2015 4:58 AM >> To: Ronald Bonica; Kathleen Moriarty; Templin, Fred L >> Cc: Suresh Krishnan; [email protected]; [email protected]; >> [email protected]; draft-ietf-intarea- >> [email protected]; The IESG; [email protected] >> Subject: Re: Kathleen Moriarty's Discuss on draft-ietf-intarea-gre-mtu-04: >> (with DISCUSS) >> >> Hi Kathleen, >> >> On 5/14/15 9:49 PM, Ronald Bonica wrote: >>> Hi Kathleen, >>> >>> Thanks, I will post an updated version of the draft. >>> >>> Regarding Fred’s question, an attacker can send ICMP PTB to the GRE >>> ingress node. When this happens, the GRE ingress node’s estimation of >>> the PMTU and GMTU become inaccurate. That is why the draft says: >>> >>> “PMTU Discovery is vulnerable to two denial of service attacks (see >>> Section 8 of [RFC1191] for details). Both attacks are based upon on a >>> malicious party sending forged ICMPv4 Destination Unreachable or >>> ICMPv6 Packet Too Big messages to a host. In the first attack, the >>> forged message indicates an inordinately small PMTU. In the second >>> attack, the forged message indicates an inordinately large MTU. In >>> both cases, throughput is adversely affected. On order to mitigate >>> such attacks, GRE implementations include a configuration option to >>> disable PMTU discovery on GRE tunnels. Also, they can include a >>> configuration option that conditions the behavior of PMTUD to >>> establish a minimum PMTU.” >> >> The problem with Fred's question is that it is a well-known >> vulnerability of ICMP in general and has a much broader impact than just >> fragmentation and GRE (i.e., this draft). Additionally, I have no idea >> why Fred thinks an "insider attack" is any more of an issue than an >> arbitrary attack. > > If the original source, ingress and egress are all within the same well > managed administrative domain, then it would be very advantageous > to use PMTUD instead of probing and/or fragmentation since issues > such as ICMP message loss, multipath and in-the-network fragmentation > are mitigated. But, if source address spoofing is possible within the > administrative domain, then there is opportunity for an insider attack > to disrupt systems that rely on PMTUD. > > A fix would be to have the draft mention the ability to spoof source > addresses as a necessary precondition to sustained PTB message > attacks, since attackers that use legitimate source addresses can > be traced. And, the mitigation is for the administrative domain to > employ ingress filtering. >
Again, like Brian wrote, there is nothing in this draft that enables or directly relates to that attack — or a different way, that attack is broader and not specific to GRE. — Carlos. > Thanks - Fred > fred.l.templin@boeing,com > >> Regards, >> Brian >> >
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Int-area mailing list [email protected] https://www.ietf.org/mailman/listinfo/int-area
