From owner-freebsd-hackers  Fri Jan  4 13:26:42 2002
Delivered-To: freebsd-hackers@freebsd.org
Received: from glenfiddich.infospace.com (mail1.infospace.com [206.29.197.33])
	by hub.freebsd.org (Postfix) with SMTP id 98F6237B41B
	for <freebsd-hackers@freebsd.org>; Fri,  4 Jan 2002 13:26:37 -0800 (PST)
Received: (qmail 15866 invoked from network); 4 Jan 2002 21:26:35 -0000
Received: from unknown (HELO stoli.inspinc.ad) (206.29.197.190)
  by 0 with SMTP; 4 Jan 2002 21:26:35 -0000
Received: (qmail 21920 invoked from network); 4 Jan 2002 21:26:35 -0000
Received: from rolf.inspinc.ad ([10.99.33.65]) (envelope-sender <william.carrel@infospace.com>)
          by stoli.inspinc.ad (qmail-ldap-1.03) with SMTP
          for <freebsd-hackers@freebsd.org>; 4 Jan 2002 21:26:35 -0000
Date: Fri, 4 Jan 2002 13:26:54 -0800
Subject: Re: path_mtu_discovery
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Mime-Version: 1.0 (Apple Message framework v480)
Cc: freebsd-hackers@freebsd.org
To: Terry Lambert <tlambert2@mindspring.com>
From: William Carrel <william.carrel@infospace.com>
In-Reply-To: <3C36149B.B9C02DCF@mindspring.com>
Message-Id: <C64F7C2E-0159-11D6-9ED7-003065B4E0E8@infospace.com>
Content-Transfer-Encoding: quoted-printable
X-Mailer: Apple Mail (2.480)
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-hackers.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-hackers>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-hackers>
X-Loop: FreeBSD.ORG


On Friday, January 4, 2002, at 12:46 PM, Terry Lambert wrote:
> William Carrel wrote:
>
>> ipfilter with 'keep state' on the connections will automatically =
allow
>> back in relevant ICMP messages such as mustfrag.
>
> Heh... I need to try to write a "mustfrag" daemon, which will
> spoof them back whenever it sees traffic... and see what happens.

See now you've made me curious, and I ask myself questions like: How=20
robust is PMTU-D against someone malicious who wants to make us send=20
tinygrams?  Could the connection eventually be forced down to an MTU so=20=

low that no actual data transfer could occur, or TCP frames with only=20
one byte of information?

Granted, the malicious person has to send back a valid set of headers=20
with their ICMP to get through ipfilter; but now I have this bad feeling=20=

lurking in the back of my mind...

The bad feeling is helped along by observing sys/netinet/ip_icmp.c and=20=

the fact that as long as the MTU suggested is greater than 296 bytes we=20=

accept the values of any ICMP mustfrag that comes in provided we have a=20=

host route for it.

I suppose we'll always get a couple hundred bytes in edgewise anyway,=20
but it all makes for an interesting exercise.  I wonder about the=20
robustness of other operating systems to such an attack...

--
     Andy Carrel - william.carrel@infospace.com - +1 (425) 201-8745
Se=F1or Systems Eng. - Corporate Infrastructure Applications - InfoSpace


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message