Hi, Fernando. Fernando Gont wrote:
Denial of service attacks via error messages are covered in s3.1 (I believe the attacks covered in your draft fall into this category). After your previous message on this subject, I did mention the possibility of deep packet inspection looking at the embedded packet (s4.1, next to last paragraph) and that this was relevant to the TCP attacks you describe. However, this draft is specifically about firewall rules and the firewall would have to do quite heavy work on the packet to implement this sort of rule - not all firewalls are ncecessarily capable of this. If the firewall can carry out the checks then they shuld apply to error messages for any sort of transport and not just TCP. Also if the embedded packet is encrypted, it would not be possible to tell that it was specifically a TCP packet. On the other hand end hosts should certainly do the verification as mentioned in your draft as is implied by the words in s4.1.At 09:32 a.m. 19/10/2005, Elwyn Davies wrote:This new wg draft was published this week. It is a substantial rewrite of the individual draft which Janos and I published in July.It now covers all the messages that are currently defined for ICMPv6 and is written in a format which should make it easier for administrators to crate firewall rules from it.Comments would be appreciated.A couple of issues that seem to be missing:* There's no mention of ICMP attacks against TCP. I have authored a draft on this issue, along with counter-measures. You can find my internet-draft at http://www.ietf.org/internet-drafts/draft-gont-tcpm-icmp-attacks-04.txt . You should probably mention the attacks, and provide a reference to my draft for further discussion.* There's no mention of ingress and egress ICMP-filtering based on the payload of ICMP messages. You can find a description of such an "advanced" filtering in Section 4.3 ("Filtering ICMP error messages based on the ICMP payload") of my internet-draft "ICMP attacks against TCP", too.
As regards referencing the draft, I did consider this: it would be possible but it would preferable if it was clear that it was going to become an RFC. I notice that the current version of the draft has expired... are you making any moves to either have this adopted as a wg draft or get it published as an individual submission RFC. I would suggest you talk to either Margaret Wasserman (covering the ipv6 group) or David Kessens (v6ops) to see if you can have it published as an individual submission via AD since it is pretty much complete and the IPv6 wg is currently winding down and maybe reluctant to take on new work.
Regards, Elwyn
Kindest regards, -- Fernando Gont e-mail: fernando@gont.com.ar || fgont@acm.org