On Tue, Mar 20, 2018 at 3:44 PM, David Bird <[email protected]> wrote:
- An ICMP message by itself is not secure. For example, it's trivial for an off-path attacker to generate ICMP messages for sessions from legitimate UEs to <popularwebsite>:443. Getting a UE to trust such a message only requires getting the ephemeral port right, and many OSes have a quite limited range of ephemeral ports.
Is there any data that shows ICMP (and its insecurity) being used for off-path attacks like this today? Networks (as they do today) may just filter out ICMP they don't support from the edge.Regardless of whether this is happening today, it seems unwise to propose something with an obvious security hole like this. The risk is that we do a bunch of work and then security review tells us "?REDO FROM START".3. The notification should not be on a per-destination basis. A hint that conveys the information "you can reach facebook, but to reach CNN you need to upgrade to another service plan" is not technically infeasible but is unlikely ever to reach WG and IETF consensus and therefore I think we should not spend our time talking about it.Can't a network have this policy irrespective of how we implement ICMP? Can't they even today just use existing ICMP messages? I cringe when we start dictating how PUBLIC ACCESS networks manage their walled garden and businesses.My point was that there's no use in having that discussion, because we know there are strong opinions on both sides and thus we're not likely to get consensus.