From owner-cvs-src@FreeBSD.ORG  Thu Apr 21 14:29:34 2005
Return-Path: <owner-cvs-src@FreeBSD.ORG>
Delivered-To: cvs-src@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id B9B5216A4CE; Thu, 21 Apr 2005 14:29:34 +0000 (GMT)
Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 99CD443D1D; Thu, 21 Apr 2005 14:29:34 +0000 (GMT)
	(envelope-from andre@FreeBSD.org)
Received: from repoman.freebsd.org (localhost [127.0.0.1])
	by repoman.freebsd.org (8.13.1/8.13.1) with ESMTP id j3LETYp3018409;
	Thu, 21 Apr 2005 14:29:34 GMT
	(envelope-from andre@repoman.freebsd.org)
Received: (from andre@localhost)
	by repoman.freebsd.org (8.13.1/8.13.1/Submit) id j3LETYoT018408;
	Thu, 21 Apr 2005 14:29:34 GMT
	(envelope-from andre)
Message-Id: <200504211429.j3LETYoT018408@repoman.freebsd.org>
From: Andre Oppermann <andre@FreeBSD.org>
Date: Thu, 21 Apr 2005 14:29:34 +0000 (UTC)
To: src-committers@FreeBSD.org, cvs-src@FreeBSD.org,
	cvs-all@FreeBSD.org
X-FreeBSD-CVS-Branch: HEAD
Subject: cvs commit: src/sys/netinet ip_icmp.c ip_icmp.h tcp_subr.c
X-BeenThere: cvs-src@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: CVS commit messages for the src tree <cvs-src.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/cvs-src>,
	<mailto:cvs-src-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/cvs-src>
List-Post: <mailto:cvs-src@freebsd.org>
List-Help: <mailto:cvs-src-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/cvs-src>,
	<mailto:cvs-src-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Apr 2005 14:29:35 -0000

andre       2005-04-21 14:29:34 UTC

  FreeBSD src repository

  Modified files:
    sys/netinet          ip_icmp.c ip_icmp.h tcp_subr.c 
  Log:
  Move Path MTU discovery ICMP processing from icmp_input() to
  tcp_ctlinput() and subject it to active tcpcb and sequence
  number checking.  Previously any ICMP unreachable/needfrag
  message would cause an update to the TCP hostcache.  Now only
  ICMP PMTU messages belonging to an active TCP session with
  the correct src/dst/port and sequence number will update the
  hostcache and complete the path MTU discovery process.
  
  Note that we don't entirely implement the recommended counter
  measures of Section 7.2 of the paper.  However we close down
  the possible degradation vector from trivially easy to really
  complex and resource intensive.  In addition we have limited
  the smallest acceptable MTU with net.inet.tcp.minmss sysctl
  for some time already, further reducing the effect of any
  degradation due to an attack.
  
  Security:       draft-gont-tcpm-icmp-attacks-03.txt Section 7.2
  MFC after:      3 days
  
  Revision  Changes    Path
  1.99      +1 -45     src/sys/netinet/ip_icmp.c
  1.24      +1 -0      src/sys/netinet/ip_icmp.h
  1.223     +36 -7     src/sys/netinet/tcp_subr.c