Date: Fri, 4 Jan 2002 19:52:23 -0500 From: Leo Bicknell <bicknell@ufp.org> To: "Rogier R. Mulhuijzen" <drwilco@drwilco.net> Cc: freebsd-hackers@FreeBSD.ORG Subject: Re: path_mtu_discovery Message-ID: <20020105005223.GA55340@ussenterprise.ufp.org> In-Reply-To: <5.1.0.14.0.20020105011402.01d75230@mail.drwilco.net> References: <5.1.0.14.0.20020105011402.01d75230@mail.drwilco.net>
next in thread | previous in thread | raw e-mail | index | archive | help
In a message written on Sat, Jan 05, 2002 at 01:14:24AM +0100, Rogier R. Mulhuijzen wrote: > >I suppose so, but then you won't be able to connect to machines with > >miniscule path MTU's, and that should definately be a warning. But then > >it beats Linux which allows the path MTU to be reduced to 69 bytes (ouch!). > > Ouch indeed. Well default would be what we have now, but you'd be able to > tune it. The way I see it is that the attack would be most common on the > internet, and minuscule MTUs would most probably occur in specialistic > environments. Admins of potential targets would raise the minimum to a nice > value (say 512 or 1024), and print a message when something requests > something below this minimum, for troubleshooting ease. Or maybe a soft > limit and a hard limit. Soft limit triggers a message, hard limit is > enforced. ftp://ftp.isi.edu/in-notes/rfc791.txt ] Every internet module must be able to forward a datagram of 68 ] octets without further fragmentation. This is because an internet ] header may be up to 60 octets, and the minimum fragment is 8 octets. And ] Every internet destination must be able to receive a datagram of 576 ] octets either in one piece or in fragments to be reassembled. Not as good as I hoped. So, it would seem the roadmap would look something like this: 1) Insure FreeBSD won't allow an MTU < 68 bytes ever. (ifconfig, icmp mtu messages, anything) 2) Implement a warning if the MTU is set smaller than some minimum value (perhaps 576 for the global internet) if admins which to see such things. 3) Allow admins to enforce a higher minimum size for servers in attack situations, knowing this violates the RFC. -- Leo Bicknell - bicknell@ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ Read TMBG List - tmbg-list-request@tmbg.org, www.tmbg.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020105005223.GA55340>