On Mon, Jan 07, 2002 at 01:57:26PM +0200, Yonatan Bokovza wrote:
> > -Original Message-
> > From: Crist J. Clark [mailto:[EMAIL PROTECTED]]
> > Sent: Sunday, January 06, 2002 02:39
> > To: Leo Bicknell
> > Cc: Rogier R. Mulhuijzen; [EMAIL PROTECTED]
>
> -Original Message-
> From: Crist J. Clark [mailto:[EMAIL PROTECTED]]
> Sent: Sunday, January 06, 2002 02:39
> To: Leo Bicknell
> Cc: Rogier R. Mulhuijzen; [EMAIL PROTECTED]
> Subject: Re: path_mtu_discovery
[snip]
> I'd support it if anyone actually has any c
On Fri, Jan 04, 2002 at 07:08:16PM -0500, Leo Bicknell wrote:
> In a message written on Sat, Jan 05, 2002 at 01:14:45AM +0100, Rogier R. Mulhuijzen
>wrote:
> > If we're on the internet yes. If you're in an environment other than one
> > connected to the internet (do those even exist ) no.
> > He
Jesper Skriver wrote:
> On Fri, Jan 04, 2002 at 06:02:10PM -0500, Louis A. Mamakos wrote:
> > One possibility is that the code in icmp_input() processing the
> > PMTU discovery-induced ICMP message could verify that the returned
> > header in fact is associated with a connection on the host and
>
> : Out of curiosity, where do MTUs < ~512 occur?
>
> Old slip links that used it to reduce latency. I suspect that there
> aren't too many of them left in the world.
You'd be suprised. I measure SLIP's effeciency (in throughput) to be
about 5-15% more effecient than PPP in older versions of F
On Fri, Jan 04, 2002 at 06:02:10PM -0500, Louis A. Mamakos wrote:
>
> One possibility is that the code in icmp_input() processing the
> PMTU discovery-induced ICMP message could verify that the returned
> header in fact is associated with a connection on the host and
> maybe even has sane sequenc
On Fri, Jan 04, 2002 at 03:11:45PM -0800, Terry Lambert wrote:
>
> I knew that I could multiply the number of packets sent by a
> factor of 5... I was pointing out a flaw in the idea of allowing
> path MTU ICMP back in, unconditionally...
Thre is nothing 'unconditionally' in ipfilter. The IP pac
"M. Warner Losh" wrote:
> In message: <[EMAIL PROTECTED]>
> "Rogier R. Mulhuijzen" <[EMAIL PROTECTED]> writes:
> : Out of curiosity, where do MTUs < ~512 occur?
>
> Old slip links that used it to reduce latency. I suspect that there
> aren't too many of them left in the world.
PPPOE
In message: <[EMAIL PROTECTED]>
"Rogier R. Mulhuijzen" <[EMAIL PROTECTED]> writes:
: Out of curiosity, where do MTUs < ~512 occur?
Old slip links that used it to reduce latency. I suspect that there
aren't too many of them left in the world.
Warner
To Unsubscribe: send mail to [EMA
> I don't have the RFC handy, but aren't all Internet connected hosts
> required to support a minimum MTU of 576 from end to end with no
> fragmentation? Thus if we ever got an MTU less than 576 we should
> ignore it. Right?
No, all hosts are required to be able to reassemble IP datagram fragm
In a message written on Sat, Jan 05, 2002 at 01:14:24AM +0100, Rogier R. Mulhuijzen
wrote:
> >I suppose so, but then you won't be able to connect to machines with
> >miniscule path MTU's, and that should definately be a warning. But then
> >it beats Linux which allows the path MTU to be reduce
In a message written on Fri, Jan 04, 2002 at 04:03:35PM -0800, William Carrel wrote:
> RFC 879 (http://www.rfc.net/rfc879.html) would tend to disagree...
>
> (10) Gateways must be prepared to fragment datagrams to fit into the
> packets of the next network, even if it smaller than 576 octets.
H
On Friday, January 4, 2002, at 03:56 PM, Leo Bicknell wrote:
> In a message written on Fri, Jan 04, 2002 at 01:26:54PM -0800, William
> Carrel wrote:
>> See now you've made me curious, and I ask myself questions like: How
>> robust is PMTU-D against someone malicious who wants to make us send
>
In a message written on Sat, Jan 05, 2002 at 01:14:45AM +0100, Rogier R. Mulhuijzen
wrote:
> If we're on the internet yes. If you're in an environment other than one
> connected to the internet (do those even exist ) no.
> Hence my tuneable sysctl idea.
I'll support a sysctl, however I'll also
>I don't have the RFC handy, but aren't all Internet connected hosts
>required to support a minimum MTU of 576 from end to end with no
>fragmentation? Thus if we ever got an MTU less than 576 we should
>ignore it. Right?
If we're on the internet yes. If you're in an environment other than one
>I suppose so, but then you won't be able to connect to machines with
>miniscule path MTU's, and that should definately be a warning. But then
>it beats Linux which allows the path MTU to be reduced to 69 bytes (ouch!).
Ouch indeed. Well default would be what we have now, but you'd be able t
In a message written on Fri, Jan 04, 2002 at 01:26:54PM -0800, William Carrel wrote:
> See now you've made me curious, and I ask myself questions like: How
> robust is PMTU-D against someone malicious who wants to make us send
> tinygrams? Could the connection eventually be forced down to an MT
[reducing CC creep]
On Friday, January 4, 2002, at 03:46 PM, Leo Bicknell wrote:
> In a message written on Fri, Jan 04, 2002 at 03:35:35PM -0800, Terry
> Lambert wrote:
>> Of course, now you've let the dirty little secret out of the
>> bag: the MTU is on the *route*, which means on the next hop,
In a message written on Fri, Jan 04, 2002 at 03:35:35PM -0800, Terry Lambert wrote:
> Of course, now you've let the dirty little secret out of the
> bag: the MTU is on the *route*, which means on the next hop,
> so a spoof that got through would frag basically all traffic
> out of the victim machi
>I suppose we'll always get a couple hundred bytes in edgewise anyway, but
>it all makes for an interesting exercise. I wonder about the robustness
>of other operating systems to such an attack...
I think malicious people will point their ears at this line here ^^
Maybe make the minimum size
"Louis A. Mamakos" wrote:
> One possibility is that the code in icmp_input() processing the
> PMTU discovery-induced ICMP message could verify that the returned
> header in fact is associated with a connection on the host and
> maybe even has sane sequence numbers (for TCP segments). This would
>
Guido van Rooij wrote:
> > > ipfilter with 'keep state' on the connections will automatically allow
> > > back in relevant ICMP messages such as mustfrag.
> >
> > Heh... I need to try to write a "mustfrag" daemon, which will
> > spoof them back whenever it sees traffic... and see what happens.
>
One possibility is that the code in icmp_input() processing the
PMTU discovery-induced ICMP message could verify that the returned
header in fact is associated with a connection on the host and
maybe even has sane sequence numbers (for TCP segments). This would
make it more difficult to just spr
On Fri, Jan 04, 2002 at 12:46:19PM -0800, Terry Lambert wrote:
> William Carrel wrote:
> > Blocking all ICMP is bad m'kay?
>
> First, I agree...
>
> > ipfilter with 'keep state' on the connections will automatically allow
> > back in relevant ICMP messages such as mustfrag.
>
> Heh... I need to
On Friday, January 4, 2002, at 12:46 PM, Terry Lambert wrote:
> William Carrel wrote:
>
>> ipfilter with 'keep state' on the connections will automatically allow
>> back in relevant ICMP messages such as mustfrag.
>
> Heh... I need to try to write a "mustfrag" daemon, which will
> spoof them back
On Fri, Jan 04, 2002 at 07:45:43AM -0800, Kristopher Kublinski wrote:
> I have the same setup as Martin but i cant say i have the same problem. I am also
>blocking all
> incoming icmp traffic - in fact i have explicitly denied almost all incoming traffic
>so i do not
> thing that is the proble
William Carrel wrote:
> Blocking all ICMP is bad m'kay?
First, I agree...
> ipfilter with 'keep state' on the connections will automatically allow
> back in relevant ICMP messages such as mustfrag.
Heh... I need to try to write a "mustfrag" daemon, which will
spoof them back whenever it sees tr
On Fri, Jan 04, 2002 at 02:48:22PM +0200, Peter Pentchev wrote:
> You have not, by any chance, firewalled ICMP replies, have you -
> either outgoing on the router, or incoming on the FreeBSD box?
No. Since i can see the icmp-messages with tcpdump, i thought
there is a problem with FreeBSD not lo
On Friday, January 4, 2002, at 07:45 AM, Kristopher Kublinski wrote:
> --- Peter Pentchev <[EMAIL PROTECTED]> wrote:
>> On Fri, Jan 04, 2002 at 11:08:06AM +0100, Martin Kaeske wrote:
>>> Hello,
>>> I'm using FreeBSD-4.4-STABLE and have an OpenBSD-2.9 router to
>>> connect to the internet (via DSL
--- Peter Pentchev <[EMAIL PROTECTED]> wrote:
> On Fri, Jan 04, 2002 at 11:08:06AM +0100, Martin Kaeske wrote:
> > Hello,
> > I'm using FreeBSD-4.4-STABLE and have an OpenBSD-2.9 router to
> > connect to the internet (via DSL). If i try to do a cvsup
> > (cvsup.de.freebsd.org, cvsup2.de.freebsd.or
On Fri, Jan 04, 2002 at 11:08:06AM +0100, Martin Kaeske wrote:
> Hello,
> I'm using FreeBSD-4.4-STABLE and have an OpenBSD-2.9 router to
> connect to the internet (via DSL). If i try to do a cvsup
> (cvsup.de.freebsd.org, cvsup2.de.freebsd.org, cvsup.freebsd.org)
> i'm getting a lot of "icmp: Dest
31 matches
Mail list logo
