At 03:13 27/02/2005 -0600, [EMAIL PROTECTED] wrote:
> By the way, one additional ICMP attack that could possibly be > included > in 5.2: > > 6. As the ICMP messages are passed to the upper-layer > processes, it > is possible to perform attacks on the upper layer protocols > (e.g., TCP) with ICMP [TCP-attack]. Protecting the upper layer > with IPsec mitigates this problem, though the upper layers may > also perform some form of validation of ICMPs on their own. > > Where [TCP-attack] is an informative reference to > draft-gont-tcpm-icmp-attacks-03.txt.
Interesting. I will try to add this to the next rev.
Note that if a host does not implement IPsec, blindly processing ICMP messages is probably not a good idea. For TCP, for example, you can check both the TCP SEQ and the ACK a numbers. These checks (probably together with port randomization) mean that (pratically) only on-path attackers can perform ICMP-based attacks against TCP.
All these checks are described in draft-gont-tcpm-icmp-attacks-03.txt, as pointed out by Pekka.
Kindest regards,
-- Fernando Gont e-mail: [EMAIL PROTECTED] || [EMAIL PROTECTED]
-------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------