On 4/22/16, Sebastian Beutel wrote: > Hi List, > > in some kind of spring-cleaning of our configuration collection, i > encountered some lines that differ from Ciscos defaults in many of our > switches. The Cisco default for the lines in question is like this: > > no ip tcp selective-ack > no ip tcp path-mtu-discovery > > This makes me wonder because i believe that pmtu discovery and selective > ack > are good things. Furthermore, in our heritage config defaults selective-ack > and path-mtu-discovery are explicitly enabled. > > The question i like to ask is therefore: Does anyone know why Cisco chose > to disable this by default and am i right that it's safe these days to enable > it?
My attitude is that every feature enabled = another attack surface enabled. So the question is how likely is the attack vs. how much benefit is the feature. I don't know what attack[s] enabling selective-ack opens up, but there's probably something. Enabling path MTU discovery [used to? still does??] open up the possibility of an attacker dropping the MTU down to 68 bytes. On the other hand, if the do not fragment bit is clear (ie. path mtu discovery off) you're supposed to assume an MTU of 576 bytes for off-subnet traffic, so maybe something bad will happen vs. guaranteed performance hit with pmtud disabled. have a look at http://www.cisco.com/c/en/us/support/docs/csa/cisco-sa-20050412-icmp.html All that said, I like having pmtud & selective ack enabled. Your security office might have a different opinion. Regards, Lee _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
