[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: draft-ietf-opsec-filter-caps-08.txt

To: Danny McPherson <danny@tcb.net>
Subject: Re: draft-ietf-opsec-filter-caps-08.txt
From: "Chris L. Morrow" <christopher.morrow@verizonbusiness.com>
Date: Thu, 28 Jun 2007 16:29:02 +0000 (GMT)
Cc: opsec@ops.ietf.org
In-reply-to: <Pine.GSO.4.58.0706281339000.1179@marvin.argfrp.us.uu.net>
References: <E1Hxqaj-0003pn-06@stiedprstage1.ietf.org> <C35ADD020AEBD04383C1F7F644227FDF03D83EBF@xmb-sjc-227.amer.cisco.com> <468288A4.9050208@juniper.net> <F5A79497-F473-4983-97EC-E97B5B399061@tcb.net> <Pine.GSO.4.58.0706280422440.1179@marvin.argfrp.us.uu.net> <98F601E3-630B-49D9-A7DE-EFF32D895BBA@tcb.net> <Pine.GSO.4.58.0706281339000.1179@marvin.argfrp.us.uu.net>

(resent because my @vzb.com address wasn't subscribed...)

On Thu, 28 Jun 2007, Chris L. Morrow wrote:

>
>
> On Thu, 28 Jun 2007, Danny McPherson wrote:
>
> >
> > On Jun 27, 2007, at 10:26 PM, Chris L. Morrow wrote:
> >
> > >
> > >
> > > On Wed, 27 Jun 2007, Danny McPherson wrote:
> > >
> > > I think the fear expressed is that if you aren't careful and just
> > > drop all
> > > icmp (which is probably what happens in 99.9% of the 'i got icmp
> > > flooded'
> > > incidents) you'd run the risk of dropping the icmp 3/4 as well.
> > > This may
> > > matter if, for instance, the attackee is a webserver sending back full
> > > content packets (mtu 4400 fddi frames) and somewhere near  the
> > > source of
> > > the request ethernet was the only viable media...
> > >
> > > I doubt this is a huge concern to the attackee, so long as most of
> > > their
> > > customers work, and it's fairly easily remedied if you filter the
> > > actual
> > > attack type/code only.
> >
> > So how about this slight modification to the text:
> >
> > Some denial of service attacks are based on the ability to
> > flood the victim with ICMP traffic.  One quick way to mitigate
> > the effects of such attacks is to drop all ICMP traffic headed
> > toward the victim.  It should be noted that one possibly
> > negative implication of filtering all ICMP traffic towards a
> > victim is that legitimate functions which rely upon successful
> > delivery of ICMP messages to the victim (e.g., PMTU-D
> > elicited ICMP Destination Unreachable - fragmentation
> > needed error messages) will not be received by the victim.
> >
> > Or something of the sort...?
>
> Sure, I think I'd even simplify that by changing:
>
> "It should be noted that one possibly negative implication of filtering
> all ICMP traffic towards a victim is that legitimate functions which rely
> upon successful delivery of ICMP messages to the victim (e.g., PMTU-D
> elicited ICMP Destination Unreachable - fragmentation needed error
> messages) will not be received by the victim."
>
> to:
> "It should be noted that one possibly negative implication of
> filtering all ICMP traffic towards a victim is that legitimate functions
> which rely upon successful delivery of ICMP messages to the victim (e.g.,
> ICMP unreachables, Type-3 messages) will not be received by the victim."
>
> Effectively 'not all icmp is created equally'.
>

References:
- RE: Last Call: draft-ietf-opsec-filter-caps (Filtering and Rate Limiting Capabilities for IP Network Infrastructure) to BCP
  - From: "Barry Greene \(bgreene\)" <bgreene@cisco.com>
- Re: Last Call: draft-ietf-opsec-filter-caps (Filtering and Rate Limiting Capabilities for IP Network Infrastructure) to BCP
  - From: Ron Bonica <rbonica@juniper.net>
- draft-ietf-opsec-filter-caps-08.txt
  - From: Danny McPherson <danny@tcb.net>
- Re: draft-ietf-opsec-filter-caps-08.txt
  - From: Danny McPherson <danny@tcb.net>

Prev by Date: RE: Last Call: draft-ietf-opsec-filter-caps (Filtering and Rate Limiting Capabilities for IP Network Infrastructure) to BCP
Next by Date: Re: draft-ietf-opsec-filter-caps-08.txt
Previous by thread: Re: draft-ietf-opsec-filter-caps-08.txt
Next by thread: SImple Security for small CPE devices
Index(es):
- Date
- Thread