From owner-freebsd-net Tue Jun 11 9:29:43 2002 Delivered-To: freebsd-net@freebsd.org Received: from patrocles.silby.com (d146.as9.nwbl0.wi.voyager.net [169.207.133.212]) by hub.freebsd.org (Postfix) with ESMTP id 6D18A37B401 for ; Tue, 11 Jun 2002 09:29:33 -0700 (PDT) Received: from patrocles.silby.com (localhost [127.0.0.1]) by patrocles.silby.com (8.12.3/8.12.3) with ESMTP id g5BGUu9I024093; Tue, 11 Jun 2002 11:30:56 -0500 (CDT) (envelope-from silby@silby.com) Received: from localhost (silby@localhost) by patrocles.silby.com (8.12.3/8.12.3/Submit) with ESMTP id g5BGULip024090; Tue, 11 Jun 2002 11:30:37 -0500 (CDT) X-Authentication-Warning: patrocles.silby.com: silby owned process doing -bs Date: Tue, 11 Jun 2002 11:30:20 -0500 (CDT) From: Mike Silbersack To: Mikael Olsson Cc: Phil Dibowitz , Jean-Yves Lefort , Subject: Re: Broken PMTUD in FreeBSD? In-Reply-To: <3D060A6C.5204B402@clavister.com> Message-ID: <20020611112119.N23986-100000@patrocles.silby.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=X-UNKNOWN Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org (I'm redirecting this back to freebsd-net, as it doesn't seem appropriate for bugtraq.) I did some quick investigation last night, and agree with Phil that this is a bug. When the syncache was implemented, only a subset of the normal tcp output code was copied over for the purpose of sending syn-acks. One part of the code that was not moved over was the part that determines when the DF and tos bits are set. I also agree with Mikael that this isn't an important issue, given that syn-ack packets are quite tiny. Nonetheless, I will commit a fix in the next few days. However, it's too late to MFC it in time for 4.6-release. Phil: In the future, please try a bit harder to notify someone if you believe that a bug is serious enough for posting to bugtraq. freebsd-net is a relatively busy list, and things do get missed. Mike "Silby" Silbersack On Tue, 11 Jun 2002, Mikael Olsson wrote: > > Phil Dibowitz wrote: > > > > [FreeBSD doesn't set DF in SYN/ACK] > > > > I don't consider this a big security hole, but it is a bug. It could > > be used to do TCP fingerprinting, and it also breaks a standard > > Is this really a bug? I wouldn't be so sure. What is the purpose of > setting DF in a SYN/ACK segment ? It's not like it can react to > returned ICMP errors and decrease the size of segment (only 40 bytes > of IP and TCP header and a few options). > > I'd even argue that it's a feature. If something has an MTU that > is so small that it can't pass TCP segments without data, there's > nothing to be done about it, and you should let fragmentation occur. > > > The fingerprinting point is sort of valid, I guess. However, since > there are already BSD boxes out there doing this, the fingerprint > value would be even greater (the fingerprint match more narrow) if > one were to change it now. > > -- > Mikael Olsson, Clavister AB > Storgatan 12, Box 393, SE-891 28 =D6RNSK=D6LDSVIK, Sweden > Phone: +46 (0)660 29 92 00 Mobile: +46 (0)70 26 222 05 > Fax: +46 (0)660 122 50 WWW: http://www.clavister.com > > "Senex semper diu dormit" > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message