ICMP attacks against TCP

[Fernando Gont <fernando@xxxxxxxxxxx>]

Folks,

I'm the author of an IETF Internet Draft that discusses the use of ICMP to 
perform a number of attacks against TCP and other similar protocols. The 
draft can be found at: 
http://www.ietf.org/internet-drafts/draft-gont-tcpm-icmp-attacks-01.txt

The draft proposes some work-arounds that eliminate or minimize the impact 
of these attacks.

For example, one of the proposed work-arounds is to check the TCP sequence 
number that is included in the payload of ICMP error messages. While this 
check has been implemented in a number of TCP/IP stack implementations 
(including Linux), it has never been officially documented.

There are some other work-arounds (for example, ignoring ICMP Source Quench 
messages) are not implemented in Linux, though.

I'd appreciate any comments on the draft. Both for those work-arounds 
implemented by Linux, and for those that aren't. Thus, I'd be able to 
address your comments in the next revision of the draft, and will also 
sum-up your feedback and post it to the relevant IETF mailing list (that of 
the TCPM WG mailing-list).
In case there's consensus that the proposed fixes are the right way to go, 
it will probably help to move the draft forward, and thus maybe the 
proposed work-arounds will be adopted by other TCP/IP stack implementations.

Thanks!

--
Fernando Gont
e-mail: fernando@xxxxxxxxxxx || fgont@xxxxxxx