From owner-freebsd-security  Mon Jul  9 17:40:10 2001
Delivered-To: freebsd-security@freebsd.org
Received: from caligula.anu.edu.au (caligula.anu.edu.au [150.203.224.42])
	by hub.freebsd.org (Postfix) with ESMTP id D8A7937B401
	for <freebsd-security@FreeBSD.ORG>; Mon,  9 Jul 2001 17:40:01 -0700 (PDT)
	(envelope-from avalon@caligula.anu.edu.au)
Received: (from avalon@localhost)
	by caligula.anu.edu.au (8.9.3/8.9.3) id KAA06761;
	Tue, 10 Jul 2001 10:39:25 +1000 (EST)
From: Darren Reed <avalon@coombs.anu.edu.au>
Message-Id: <200107100039.KAA06761@caligula.anu.edu.au>
Subject: Re: FW: Small TCP packets == very large overhead == DoS?
To: cclark@globalstar.com (Crist J. Clark)
Date: Tue, 10 Jul 2001 10:39:25 +1000 (Australia/ACT)
Cc: avalon@coombs.anu.edu.au (Darren Reed), dr@kyx.net (Dragos Ruiu),
	silby@silby.com (Mike Silbersack), cjclark@alum.mit.edu,
	Yonatan@xpert.com (Yonatan Bokovza),
	freebsd-security@FreeBSD.ORG ('freebsd-security@freebsd.org')
In-Reply-To: <20010709171229.D87064@sec-tools.corp.globalstar.com> from "Crist J. Clark" at Jul 09, 2001 05:12:29 PM
X-Mailer: ELM [version 2.5 PL1]
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

In some mail from Crist J. Clark, sie said:
> 
> On Mon, Jul 09, 2001 at 06:55:44PM +1000, Darren Reed wrote:
> 
> [snip]
> 
> > MSS is the largest fragment the OS will send.  It could send smaller ones
> > than the MSS value but that'd be inefficient.  Larger ones are not going
> > to be well received, if at all.
> 
> OK, it may just be that I have been looking at this too long
> but... Doesn't following seem wrong?
> 
>   16:23:09.673022 172.18.113.26.4648 > AAA.BBB.CCC.106.80: S 3084535793:3084535793(0) win 16384 <mss 1460> (DF) (ttl 64, id 63179)
>   16:23:09.673782 AAA.BBB.CCC.106.80 > 172.18.113.26.4648: S 1140257897:1140257897(0) ack 3084535794 win 8760 <mss 1460> (DF) (ttl 254, id 42862)
> 
> OK, both sides only want 1460 bytes as the maximum segment size,
> right? But then a few packets later in this connection,
> 
>   16:23:09.679401 AAA.BBB.CCC.106.80 > 172.18.113.26.4648: . 584:2044(1460) ack 310 win 8760 (DF) (ttl 254, id 42866)
>   0x0000   4500 05dc a772 4000 fe06 48b9 AABB CC6a        E....r@...H..X.j
>   0x0010   ac12 711a 0050 1228 43f6 f6b1 b7da 4927        ..q..P.(C.....I'
>   0x0020   5010 2238 3084 0000 0a3c 5343 5249 5054        P."80....<SCRIPT
>   0x0030   204c 414e 4755 4147 453d 224a 6176 6153        .LANGUAGE="JavaS
>   0x0040   6372 6970 7422 3e0a 0a3c 212d 2d0a 0a69        cript">..<!--..i
>   0x0050   6620                                           f.
> 
> Now the total datagram length is 1500 (0x05dc) bytes, and the IP
> header is 20 (5x4) bytes. That means that the TCP segment is 1480
> bytes long, no? Yes, the data portion of the segment is 1460 bytes,
> but the whole segment is 1480. From my reading of the STD, the MSS is
> the _whole_ segment size, not the data portion of the segment... Or
> maybe it's not? The RFC also says,
> 
>   segment length
>             The amount of sequence number space occupied by a segment,
>             including any controls which occupy sequence space.
> 
> Which uses the term "length." However, the definition of MSS only
> talks about "size," and there is no indication I find that "size" and
> "length" are the same thing.
> 
> So either all of the TCP implementations I can find are wrong and seem
> to believe MSS is the maximum data length within a segment as opposed
> to the actual segment size, or I am wrong. 

The devil is in the details.  The paragraph about "segment length" explains
it pretty well - it's the amount of sequence number space (i.e. data length).

The data payload of the IP packet (above) is 1480 bytes long, the TCP
segment size (again data payload) is 1460.  The segment length (or size)
is the sequence number space which is the same as data payload length.

I think you're saying that "TCP segment" to be something it isn't.

Darren

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message