On Friday, January 4, 2002, at 12:46 PM, Terry Lambert wrote: > William Carrel wrote: > >> ipfilter with 'keep state' on the connections will automatically allow >> back in relevant ICMP messages such as mustfrag. > > Heh... I need to try to write a "mustfrag" daemon, which will > spoof them back whenever it sees traffic... and see what happens.
See now you've made me curious, and I ask myself questions like: How robust is PMTU-D against someone malicious who wants to make us send tinygrams? Could the connection eventually be forced down to an MTU so low that no actual data transfer could occur, or TCP frames with only one byte of information? Granted, the malicious person has to send back a valid set of headers with their ICMP to get through ipfilter; but now I have this bad feeling lurking in the back of my mind... The bad feeling is helped along by observing sys/netinet/ip_icmp.c and the fact that as long as the MTU suggested is greater than 296 bytes we accept the values of any ICMP mustfrag that comes in provided we have a host route for it. I suppose we'll always get a couple hundred bytes in edgewise anyway, but it all makes for an interesting exercise. I wonder about the robustness of other operating systems to such an attack... -- Andy Carrel - [EMAIL PROTECTED] - +1 (425) 201-8745 Seņor Systems Eng. - Corporate Infrastructure Applications - InfoSpace To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message