Re: ICMP fragmentation required but DF set problems.

2001-01-25 Thread Felix von Leitner
Thus spake [EMAIL PROTECTED] ([EMAIL PROTECTED]): IPv6 is another case though. Here you have mandatory PMTU for all protocols. This is a myth. It is quite possible to have a IPv6 implementation that does not require PMTU discovery. You just fragment all your traffic at

Re: ICMP fragmentation required but DF set problems.

2001-01-23 Thread Niels Provos
PMTU discovery is used by TCP (primarily if not exclusively). Isn't it possible to 1. check TCP sequence numbers in ICMP frag. needed messages generated as a response to a TCP datagram (in the same way they should be checked on any ICMP dest. unreachable to prevent a trivial DoS), 2. disregard

Re: ICMP fragmentation required but DF set problems.

2001-01-23 Thread antirez
On Sun, Jan 21, 2001 at 04:40:53PM +0100, Pavel Kankovsky wrote: On Mon, 15 Jan 2001, antirez wrote: It's possible to slowdown (a lot) connections between two arbirary hosts (but at least one with the PMTU discovery enabled) using some spoofed TCP/IP packet. Maybe you can do more

Re: ICMP fragmentation required but DF set problems.

2001-01-23 Thread antirez
On Mon, Jan 22, 2001 at 06:15:33PM -0500, Niels Provos wrote: IPv6 is another case though. Here you have mandatory PMTU for all protocols. In this case, and even with IPv4 if you want UDP PMTU API and so on, the only way seems to sign the outgoing packets with an HMAC and a local key. So you

Re: ICMP fragmentation required but DF set problems.

2001-01-16 Thread Ofir Arkin
--Original Message- From: Bugtraq List [mailto:[EMAIL PROTECTED]]On Behalf Of antirez Sent: Sunday, January 14, 2001 10:16 PM To: [EMAIL PROTECTED] Subject: ICMP fragmentation required but DF set problems. Hi all, The problem I'm exposing is quite obvious, but unfortunatelly can be used in a ve

Re: ICMP fragmentation required but DF set problems.

2001-01-16 Thread Peter Mathiasson
On Monday 15 January 2001 07:15, antirez wrote: SOLUTION There isn't a clear solution. PMTU Discovery can be disabled under linux, echo 1 /proc/sys/net/ipv4/ip_no_pmtu_disc

Re: ICMP fragmentation required but DF set problems.

2001-01-16 Thread antirez
On Mon, Jan 15, 2001 at 10:09:00PM -0800, Ofir Arkin wrote: This is a valid method, and known, to slow down a link between two hosts. Ok, I guess that someone tryed it first. As I stated it's trivial since other ICMP types was already abused. In my paper "ICMP Usage In Scanning" (currently

ICMP fragmentation required but DF set problems.

2001-01-15 Thread antirez
Hi all, The problem I'm exposing is quite obvious, but unfortunatelly can be used in a very simple way by script kiddies. SYNOPSIS It's possible to slowdown (a lot) connections between two arbirary hosts (but at least one with the PMTU discovery enabled) using some spoofed TCP/IP packet.