Date: Tue, 11 Jun 2002 11:30:20 -0500 (CDT) From: Mike Silbersack <silby@silby.com> To: Mikael Olsson <mikael.olsson@clavister.com> Cc: Phil Dibowitz <webmaster@ipom.com>, Jean-Yves Lefort <jylefort@brutele.be>, <freebsd-net@freebsd.org> Subject: Re: Broken PMTUD in FreeBSD? Message-ID: <20020611112119.N23986-100000@patrocles.silby.com> In-Reply-To: <3D060A6C.5204B402@clavister.com>
next in thread | previous in thread | raw e-mail | index | archive | help
(I'm redirecting this back to freebsd-net, as it doesn't seem appropriate for bugtraq.) I did some quick investigation last night, and agree with Phil that this is a bug. When the syncache was implemented, only a subset of the normal tcp output code was copied over for the purpose of sending syn-acks. One part of the code that was not moved over was the part that determines when the DF and tos bits are set. I also agree with Mikael that this isn't an important issue, given that syn-ack packets are quite tiny. Nonetheless, I will commit a fix in the next few days. However, it's too late to MFC it in time for 4.6-release. Phil: In the future, please try a bit harder to notify someone if you believe that a bug is serious enough for posting to bugtraq. freebsd-net is a relatively busy list, and things do get missed. Mike "Silby" Silbersack On Tue, 11 Jun 2002, Mikael Olsson wrote: > > Phil Dibowitz wrote: > > > > [FreeBSD doesn't set DF in SYN/ACK] > > > > I don't consider this a big security hole, but it is a bug. It could > > be used to do TCP fingerprinting, and it also breaks a standard > > Is this really a bug? I wouldn't be so sure. What is the purpose of > setting DF in a SYN/ACK segment ? It's not like it can react to > returned ICMP errors and decrease the size of segment (only 40 bytes > of IP and TCP header and a few options). > > I'd even argue that it's a feature. If something has an MTU that > is so small that it can't pass TCP segments without data, there's > nothing to be done about it, and you should let fragmentation occur. > > > The fingerprinting point is sort of valid, I guess. However, since > there are already BSD boxes out there doing this, the fingerprint > value would be even greater (the fingerprint match more narrow) if > one were to change it now. > > -- > Mikael Olsson, Clavister AB > Storgatan 12, Box 393, SE-891 28 =D6RNSK=D6LDSVIK, Sweden > Phone: +46 (0)660 29 92 00 Mobile: +46 (0)70 26 222 05 > Fax: +46 (0)660 122 50 WWW: http://www.clavister.com > > "Senex semper diu dormit" > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020611112119.N23986-100000>