Openbsd fixes icmp protocol bugs apparently ignored by the IETF

• Previous message (by thread): Openbsd fixes icmp protocol bugs apparently ignored by the IETF
• Next message (by thread): Openbsd fixes icmp protocol bugs apparently ignored by the IETF
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Suresh Ramasubramanian [ops.lists at gmail.com] wrote:
> 
> And the guy who did this says that someone at cisco called him a
> terrorist, and that the IETF ignored him .. but Theo deRaadt believes
> him, and puts his changes into the openbsd codebase.
> 

He doesn't say that the IETF ignored him.  That's not accurate.  He
clearly says that the IETF did not care.  There's a difference.  The
issues were not considered important enough to fix by the IETF (as
the problems lie in the basic ICMP specifications.)

As for his claims about the Cisco manager, nobody called him a 
terrorist, that's outright absurd.  Read more carefully.  What they did was
just as absurd but more subtle.  They pulled a Fox News.  Fernando clearly says
that "One of Cisco's managers of PSIRT said I was cooperating with terrorists,
because a terrorist could have gotten the information in the paper I wrote!"

He also says that Cisco claimed patent rights on solutions to 
the exploits.  This isn't made up.  Ask him for the email thread
with Cisco (or ask David Miller for that matter.)

Suresh, there's no reason to attempt to paint Fernando as a frigne loon.
In reality these ideas are just basic common sense, even more so as some
of these exploits are obviously well known yet none are widely solved.

Unfortunately several people replying to this article in various places
are already confusing sequence number tracking in TCP with the idea
of using the TCP sequence number in the ICMP error packet to track
its legitimacy.  That is 1. Not implemented anywhere since 2. To be useful
it would need to come from an IETF standard that everyone implements in
the next Windows hotfix, Linux kernel version, *BSD kernel, etc.  It would
make ICMP error messages just as hard to spoof as TCP RST packets themselves,
and finally say you were a host that implemented this newer IETF ICMP
standard, you could just ignore (soft reset) packets from hosts with
no sequence number, while you do the correct hard reset for packets from
other hosts which are up to date.

> All for your basic ICMP source quench / hard ICMP error exploits, from
> a quick read through
> 

What is interesting about the article are the simple solutions for these
exploits.  While the fixes may seem trivial, that's all the more reason
to implement them.  The idea is to basically just disable certain old ICMP
facilities that are rarely used on the modern internet.  Why the
resistance to common sense ?

-- 
"Attacks always get better; they never get worse."
  -- "Old NSA saying"

• Previous message (by thread): Openbsd fixes icmp protocol bugs apparently ignored by the IETF
• Next message (by thread): Openbsd fixes icmp protocol bugs apparently ignored by the IETF
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]