In a message written on Sat, Jan 05, 2002 at 01:14:24AM +0100, Rogier R. Mulhuijzen 
wrote:
> >I suppose so, but then you won't be able to connect to machines with 
> >miniscule path MTU's, and that should definately be a warning.  But then 
> >it beats Linux which allows the path MTU to be reduced to 69 bytes (ouch!).
> 
> Ouch indeed. Well default would be what we have now, but you'd be able to 
> tune it. The way I see it is that the attack would be most common on the 
> internet, and minuscule MTUs would most probably occur in specialistic 
> environments. Admins of potential targets would raise the minimum to a nice 
> value (say 512 or 1024), and print a message when something requests 
> something below this minimum, for troubleshooting ease.  Or maybe a soft 
> limit and a hard limit. Soft limit triggers a message, hard limit is 
> enforced.

ftp://ftp.isi.edu/in-notes/rfc791.txt

]    Every internet module must be able to forward a datagram of 68
]    octets without further fragmentation.  This is because an internet
]    header may be up to 60 octets, and the minimum fragment is 8 octets.

And

]    Every internet destination must be able to receive a datagram of 576
]    octets either in one piece or in fragments to be reassembled.

Not as good as I hoped.

So, it would seem the roadmap would look something like this:

1) Insure FreeBSD won't allow an MTU < 68 bytes ever.  (ifconfig,
   icmp mtu messages, anything)

2) Implement a warning if the MTU is set smaller than some minimum
   value (perhaps 576 for the global internet) if admins which to
   see such things.

3) Allow admins to enforce a higher minimum size for servers in 
   attack situations, knowing this violates the RFC.


-- 
       Leo Bicknell - [EMAIL PROTECTED] - CCIE 3440
        PGP keys at http://www.ufp.org/~bicknell/
Read TMBG List - [EMAIL PROTECTED], www.tmbg.org

To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-hackers" in the body of the message

Reply via email to