Subject: Re: ICMP attacks against TCP
To: Jonathan Stone <>
From: Fernando Gont <>
List: tech-security
Date: 12/10/2004 01:17:26
At 15:09 09/12/2004 -0800, Jonathan Stone wrote:

> >You can get the latest version of the draft from:
> >
>If you really want constructive criticism, I think you'd be much
>better off not spamming anyone who goes to that URL with popup ads.

I'm using a free hosting service for my personal site. At least a month 
ago, there were no popup ads. I've just checked it, and it seems they have 
added those popups.
(See bellow)

In any case, you can get the latest draft at:

In a few days (probably tomorrow) it will show up in the internet-drafts 

>Also, is there some good reason why the URL is set up to make it hard
>to save a text version of your non-IETF working draft?

Yes. As I said, I'm hosting my site with free services. I use mydomain for 
hosting the domain, and use and prohosting services for the 
web hosting. Portland has no popups and no ads... but they do not support 
CGIs. Porhosting, on the other hand, support CGIs, but have ads. So I 
"masquerade" the site so that the scripts are hosted in prohosting, and the 
"text-only" pages are hosted in portland.
It may or may not be a good reason for you, though.

As for the draft, not sure why you said "non-IETF". I did submit it to the 
IETF. It has not yet showed up in the internet-drafts directory. That's 
all. (And that's why I provided a link to my personal site instead of one 
pointing to the IETF site, BTW).

>If you genuinely want constructive criticism, you should make the working
>draft available in text form, for careful perusal outside a web browser.

Well, the draft *is* in text form. However, a few hours ago I was at work 
and tried to save it from the web as a text file, and had the same hard 
time I guess you had. My apologizes for this.

> >(Constructive) comments on the draft are more than welcome.
>I'm afraid that all you will get from me is feedback on the
>IETF-archived -01 draft, available from (amongst others)
>via non-onerous means.

Belive me, I live in Argentina, and have no interest in those popups, ads, 
or whatever. Just using free services. Time to pay for a web hosting, I 
think. :-)

> >P.S.: As far as I understand NetBSD does not check TCP sequence numbers.
> >Not sure how you handle the PMTUD issue, either.
>NetBSD implements PMTUD, and a version of Dave Borman's syn-cache
>code.  Not sure what other TCP sequence-number checks you're refer to;
>the Cisco-patented window-checks designed for attacks against BGP, or
>something else?

Not sure what you mean by "Cisco-patented window-checks". If you mean that 
of checking the TCP sequence number in the ICMP payload, then that's not 
patented by Cisco. I had received a notification from Cisco's lawyer when I 
published the first version of my draft, saying that they had a pending 
patent on it.

However, some time later the Linux folks contacted him, and explained him 
Linux had been doing this for years. So he withdrew the patent claim.

BTW, as far as I understan, the TCP sequence number checking is implemented 
in FreeBSD. The folks from OpenBSD generated a patch just a couple of weeks 
after the first version of my draft was published.

Adding the TCP sequence number checks makes ICMP attacks against TCP as 
hard as TCP based (spoofing TCP segments) attacks.
For PMTUD, it probably makes sense to add some more counter-measures. 
That's explained in the draft. These include checking the acknowledgement 
number, and probably delaying the update of the assumed PMTU.

Again, you can get the latest draft in plaint-text, add-free form from:

Hope to get your constructive comments, now. :-)

Fernando Gont
e-mail: ||