Date: Sat, 05 Jan 2002 01:14:24 +0100 From: "Rogier R. Mulhuijzen" <drwilco@drwilco.net> To: freebsd-hackers@freebsd.org Subject: Re: path_mtu_discovery Message-ID: <5.1.0.14.0.20020105011402.01d75230@mail.drwilco.net>
next in thread | raw e-mail | index | archive | help
<snip description="put minimum mtu in tuneable sysctl"/>
>I suppose so, but then you won't be able to connect to machines with
>miniscule path MTU's, and that should definately be a warning. But then
>it beats Linux which allows the path MTU to be reduced to 69 bytes (ouch!).
Ouch indeed. Well default would be what we have now, but you'd be able to
tune it. The way I see it is that the attack would be most common on the
internet, and minuscule MTUs would most probably occur in specialistic
environments. Admins of potential targets would raise the minimum to a nice
value (say 512 or 1024), and print a message when something requests
something below this minimum, for troubleshooting ease. Or maybe a soft
limit and a hard limit. Soft limit triggers a message, hard limit is enforced.
Out of curiosity, where do MTUs < ~512 occur?
>The best solution is to try and make sure that the mustfrag messages are
>coming from real connections we have open, and perhaps even, make sure
>that the host on the remote end hasn't already ACK'ed a packet whose
>header shows up in the ICMP mustfrag. (It would be kind of silly to get
>an ACK and a mustfrag.) Although, then it is just a race to see who gets
>their packet to us first.
What about a mustfrag flood? Wouldn't this be a tad much to process?
DocWilco
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5.1.0.14.0.20020105011402.01d75230>