Re: ICMP fragmentation required but DF set problems.

[antirez <antirez () invece org>]

On Mon, Jan 15, 2001 at 10:09:00PM -0800, Ofir Arkin wrote:
> This is a valid method, and known, to slow down a link between two hosts.

Ok, I guess that someone tryed it first. As I stated it's trivial
since other ICMP types was already abused.

> In my paper "ICMP Usage In Scanning" (currently version 2.5) Appendix B:
> ICMP "Fragmentation Needed but the Don't Fragment Bit was set" and the Path
> MTU Discovery Process (Page 132), I have outlined what should be done
> according to RFC 1191, http://www.ietf.org/rfc/rfc1191.txt, by J. Mogul, and
> S. Deering. I have also included information about "The TCP MSS (Maximum
> Segment Size) Option and PATH MTU Discovery Process".

Anyway I can't see a clear way to fix it.
The problem is that's hard to guess, for the TCP/IP stack, if
it sent the quoted packet.
A way can be, as usually, cryptography:
For example it may compute an HMAC to sign all the packets,
using an additional header with IPv6, and a key generated at boot time
(and refreshed at fixed time and/or after x packets sent).
The HMAC should include both the source and the dest IP address
(otherwise the attacker send some packet, get the HMAC and use it
 in the quoted packet) and a random number.
Or some other way that can ensure that the given packet was
sent by one end to another end.
Note that this is pretty different from the IPSEC stuff.

antirez

--
Salvatore Sanfilippo              |                      <antirez () invece org>
http://www.kyuzz.org/antirez      |      PGP: finger antirez () tella alicom com