From owner-freebsd-security  Mon Jul  9 17:14:32 2001
Delivered-To: freebsd-security@freebsd.org
Received: from sec-tools.corp.globalstar.com (gibraltar.globalstar.com [207.88.248.142])
	by hub.freebsd.org (Postfix) with ESMTP id BC24737B401
	for <freebsd-security@FreeBSD.ORG>; Mon,  9 Jul 2001 17:14:25 -0700 (PDT)
	(envelope-from cclark@globalstar.com)
Received: (from cclark@localhost)
	by sec-tools.corp.globalstar.com (8.11.3/8.11.3) id f6A0CT687395;
	Mon, 9 Jul 2001 17:12:29 -0700 (PDT)
	(envelope-from cclark)
Date: Mon, 9 Jul 2001 17:12:29 -0700
From: "Crist J. Clark" <cclark@globalstar.com>
To: Darren Reed <avalon@coombs.anu.edu.au>
Cc: Dragos Ruiu <dr@kyx.net>, Mike Silbersack <silby@silby.com>,
	cjclark@alum.mit.edu, Yonatan Bokovza <Yonatan@xpert.com>,
	"'freebsd-security@freebsd.org'" <freebsd-security@FreeBSD.ORG>
Subject: Re: FW: Small TCP packets == very large overhead == DoS?
Message-ID: <20010709171229.D87064@sec-tools.corp.globalstar.com>
References: <0107082333531I.08020@smp.kyx.net> <200107090855.SAA12298@caligula.anu.edu.au>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2i
In-Reply-To: <200107090855.SAA12298@caligula.anu.edu.au>; from avalon@coombs.anu.edu.au on Mon, Jul 09, 2001 at 06:55:44PM +1000
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Mon, Jul 09, 2001 at 06:55:44PM +1000, Darren Reed wrote:

[snip]

> MSS is the largest fragment the OS will send.  It could send smaller ones
> than the MSS value but that'd be inefficient.  Larger ones are not going
> to be well received, if at all.

OK, it may just be that I have been looking at this too long
but... Doesn't following seem wrong?

  16:23:09.673022 172.18.113.26.4648 > AAA.BBB.CCC.106.80: S 3084535793:3084535793(0) win 16384 <mss 1460> (DF) (ttl 64, id 63179)
  16:23:09.673782 AAA.BBB.CCC.106.80 > 172.18.113.26.4648: S 1140257897:1140257897(0) ack 3084535794 win 8760 <mss 1460> (DF) (ttl 254, id 42862)

OK, both sides only want 1460 bytes as the maximum segment size,
right? But then a few packets later in this connection,

  16:23:09.679401 AAA.BBB.CCC.106.80 > 172.18.113.26.4648: . 584:2044(1460) ack 310 win 8760 (DF) (ttl 254, id 42866)
  0x0000   4500 05dc a772 4000 fe06 48b9 AABB CC6a        E....r@...H..X.j
  0x0010   ac12 711a 0050 1228 43f6 f6b1 b7da 4927        ..q..P.(C.....I'
  0x0020   5010 2238 3084 0000 0a3c 5343 5249 5054        P."80....<SCRIPT
  0x0030   204c 414e 4755 4147 453d 224a 6176 6153        .LANGUAGE="JavaS
  0x0040   6372 6970 7422 3e0a 0a3c 212d 2d0a 0a69        cript">..<!--..i
  0x0050   6620                                           f.

Now the total datagram length is 1500 (0x05dc) bytes, and the IP
header is 20 (5x4) bytes. That means that the TCP segment is 1480
bytes long, no? Yes, the data portion of the segment is 1460 bytes,
but the whole segment is 1480. From my reading of the STD, the MSS is
the _whole_ segment size, not the data portion of the segment... Or
maybe it's not? The RFC also says,

  segment length
            The amount of sequence number space occupied by a segment,
            including any controls which occupy sequence space.

Which uses the term "length." However, the definition of MSS only
talks about "size," and there is no indication I find that "size" and
"length" are the same thing.

So either all of the TCP implementations I can find are wrong and seem
to believe MSS is the maximum data length within a segment as opposed
to the actual segment size, or I am wrong. 

I figure it's me, but I'm not sure where.
-- 
Crist J. Clark                                Network Security Engineer
crist.clark@globalstar.com                    Globalstar, L.P.
(408) 933-4387                                FAX: (408) 933-4926

The information contained in this e-mail message is confidential,
intended only for the use of the individual or entity named above.  If
the reader of this e-mail is not the intended recipient, or the employee
or agent responsible to deliver it to the intended recipient, you are
hereby notified that any review, dissemination, distribution or copying
of this communication is strictly prohibited.  If you have received this
e-mail in error, please contact postmaster@globalstar.com

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message