[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: I-D ACTION:draft-ietf-v6ops-icmpv6-filtering-bcp-00.txt
Fernando Gont wrote:
Denial of service attacks via error messages are covered in s3.1 (I
believe the attacks covered in your draft fall into this category).
After your previous message on this subject, I did mention the
possibility of deep packet inspection looking at the embedded packet
(s4.1, next to last paragraph) and that this was relevant to the TCP
attacks you describe. However, this draft is specifically about
firewall rules and the firewall would have to do quite heavy work on the
packet to implement this sort of rule - not all firewalls are
ncecessarily capable of this. If the firewall can carry out the checks
then they shuld apply to error messages for any sort of transport and
not just TCP. Also if the embedded packet is encrypted, it would not be
possible to tell that it was specifically a TCP packet. On the other
hand end hosts should certainly do the verification as mentioned in your
draft as is implied by the words in s4.1.
At 09:32 a.m. 19/10/2005, Elwyn Davies wrote:
This new wg draft was published this week. It is a substantial
rewrite of the individual draft which Janos and I published in July.
It now covers all the messages that are currently defined for ICMPv6
and is written in a format which should make it easier for
administrators to crate firewall rules from it.
Comments would be appreciated.
A couple of issues that seem to be missing:
* There's no mention of ICMP attacks against TCP. I have authored a
draft on this issue, along with counter-measures. You can find my
. You should probably mention the attacks, and provide a reference to
my draft for further discussion.
* There's no mention of ingress and egress ICMP-filtering based on the
payload of ICMP messages. You can find a description of such an
"advanced" filtering in Section 4.3 ("Filtering ICMP error messages
based on the ICMP payload") of my internet-draft "ICMP attacks against
As regards referencing the draft, I did consider this: it would be
possible but it would preferable if it was clear that it was going to
become an RFC. I notice that the current version of the draft has
expired... are you making any moves to either have this adopted as a wg
draft or get it published as an individual submission RFC. I would
suggest you talk to either Margaret Wasserman (covering the ipv6 group)
or David Kessens (v6ops) to see if you can have it published as an
individual submission via AD since it is pretty much complete and the
IPv6 wg is currently winding down and maybe reluctant to take on new work.
e-mail: firstname.lastname@example.org || email@example.com