Subject: Re: icmp patches
To: Fernando Gont <fernando@gont.com.ar>
From: Kevin Lahey <kml@patheticgeek.net>
List: tech-net
Date: 07/09/2005 15:49:02
On Sat, 09 Jul 2005 18:18:51 -0300
Fernando Gont <fernando@gont.com.ar> wrote:

> At 01:29 p.m. 09/07/2005, Kevin Lahey wrote:
> 
> >I was a little unclear on the utility of putting off processing an MTU
> >update via the PMTUD_PENDING, in any case.  What exactly is going on
> >there?
> 
> The idea is simple: If you receive an ICMP error message, the corresponding 
> segment should have ben dropped. So when you receive a message, you save 
> it, and wait for a RTO. If in the mean time the corresponding segment is 
> acknowledged, you clear the pending error (i.e., the ICMP error message 
> connot be legitimate). If t isn't acknowledged, when the corresponding 
> segment times out, you honor the ICMP error message.
> 
> This means that in order to succeed, an attacker would have to be able to 
> either:
> a) Drop the data segments you are sending to the remote endpoint
> b) Drop the ACKs the other endpoint is sending you

That does seem like a clever idea, but why wouldn't the attacker just send 
a RST instead?  I guess I'm concerned that this is delaying ICMP processing 
when there is an easier way for an attacker to accomplish the same thing.

Kevin
kml@patheticgeek.com