From owner-freebsd-hackers Fri Jan 4 16:52:28 2002 Delivered-To: freebsd-hackers@freebsd.org Received: from ussenterprise.ufp.org (ussenterprise.ufp.org [208.185.30.210]) by hub.freebsd.org (Postfix) with ESMTP id AD01E37B422 for ; Fri, 4 Jan 2002 16:52:24 -0800 (PST) Received: (from bicknell@localhost) by ussenterprise.ufp.org (8.11.1/8.11.1) id g050qNS55602; Fri, 4 Jan 2002 19:52:23 -0500 (EST) (envelope-from bicknell) Date: Fri, 4 Jan 2002 19:52:23 -0500 From: Leo Bicknell To: "Rogier R. Mulhuijzen" Cc: freebsd-hackers@FreeBSD.ORG Subject: Re: path_mtu_discovery Message-ID: <20020105005223.GA55340@ussenterprise.ufp.org> Mail-Followup-To: "Rogier R. Mulhuijzen" , freebsd-hackers@FreeBSD.ORG References: <5.1.0.14.0.20020105011402.01d75230@mail.drwilco.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <5.1.0.14.0.20020105011402.01d75230@mail.drwilco.net> Organization: United Federation of Planets Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG In a message written on Sat, Jan 05, 2002 at 01:14:24AM +0100, Rogier R. Mulhuijzen wrote: > >I suppose so, but then you won't be able to connect to machines with > >miniscule path MTU's, and that should definately be a warning. But then > >it beats Linux which allows the path MTU to be reduced to 69 bytes (ouch!). > > Ouch indeed. Well default would be what we have now, but you'd be able to > tune it. The way I see it is that the attack would be most common on the > internet, and minuscule MTUs would most probably occur in specialistic > environments. Admins of potential targets would raise the minimum to a nice > value (say 512 or 1024), and print a message when something requests > something below this minimum, for troubleshooting ease. Or maybe a soft > limit and a hard limit. Soft limit triggers a message, hard limit is > enforced. ftp://ftp.isi.edu/in-notes/rfc791.txt ] Every internet module must be able to forward a datagram of 68 ] octets without further fragmentation. This is because an internet ] header may be up to 60 octets, and the minimum fragment is 8 octets. And ] Every internet destination must be able to receive a datagram of 576 ] octets either in one piece or in fragments to be reassembled. Not as good as I hoped. So, it would seem the roadmap would look something like this: 1) Insure FreeBSD won't allow an MTU < 68 bytes ever. (ifconfig, icmp mtu messages, anything) 2) Implement a warning if the MTU is set smaller than some minimum value (perhaps 576 for the global internet) if admins which to see such things. 3) Allow admins to enforce a higher minimum size for servers in attack situations, knowing this violates the RFC. -- Leo Bicknell - bicknell@ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ Read TMBG List - tmbg-list-request@tmbg.org, www.tmbg.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message