Re: svn commit: r336465 - in head/sys/netinet: . tcp_stacks
On 7/19/18 9:18 AM, Maxim Konovalov wrote: On Thu, 19 Jul 2018, 08:09-0400, Michael Tuexen wrote: On 19. Jul 2018, at 03:12, Maxim Konovalov wrote: Hi Randall, On Wed, 18 Jul 2018, 22:49-, Randall Stewart wrote: Author: rrs Date: Wed Jul 18 22:49:53 2018 New Revision: 336465 URL: https://svnweb.freebsd.org/changeset/base/336465 Log: Bump the ICMP echo limits to match the RFC [...] Just wonder, are there any practical reasons to do that? In case you send encapsulated packets triggering an ICMP message you actually need more than the 8 bytes which are currently reflected. OK, let me rephrase: why do you need more than 8 bytes? It looks like it has been working rather well for 20+ years. Coming late to the game (I was away for vacation)... It's handy to have more than 8 bytes of returned payload for ICMP packets to allow for more sophisticated network health scanning metrics. Back when I worked at UUNET, we used the ICMP ECHO REQUEST packets to carry accurate timestamps for monitoring dispersion of multicast datagrams to select hosts. I know, ICMP ECHO REQUEST packets have required all payload to be returned since at least RFC 1712 - so it's not exactly the same as what is being change here... I imagine that a similar generic treatment of payload data for other ICMP type message might be handy too. -Kurt ___ svn-src-all@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
Re: svn commit: r336465 - in head/sys/netinet: . tcp_stacks
On Thu, 19 Jul 2018, 08:09-0400, Michael Tuexen wrote: > > On 19. Jul 2018, at 03:12, Maxim Konovalov > > wrote: > > > > Hi Randall, > > > > On Wed, 18 Jul 2018, 22:49-, Randall Stewart wrote: > > > >> Author: rrs > >> Date: Wed Jul 18 22:49:53 2018 > >> New Revision: 336465 > >> URL: https://svnweb.freebsd.org/changeset/base/336465 > >> > >> Log: > >> Bump the ICMP echo limits to match the RFC > >> > > [...] > > > > Just wonder, are there any practical reasons to do that? > In case you send encapsulated packets triggering an ICMP message > you actually need more than the 8 bytes which are currently > reflected. OK, let me rephrase: why do you need more than 8 bytes? It looks like it has been working rather well for 20+ years. -- Maxim Konovalov ___ svn-src-all@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
Re: svn commit: r336465 - in head/sys/netinet: . tcp_stacks
> On 19. Jul 2018, at 03:12, Maxim Konovalov wrote: > > Hi Randall, > > On Wed, 18 Jul 2018, 22:49-, Randall Stewart wrote: > >> Author: rrs >> Date: Wed Jul 18 22:49:53 2018 >> New Revision: 336465 >> URL: https://svnweb.freebsd.org/changeset/base/336465 >> >> Log: >> Bump the ICMP echo limits to match the RFC >> > [...] > > Just wonder, are there any practical reasons to do that? In case you send encapsulated packets triggering an ICMP message you actually need more than the 8 bytes which are currently reflected. The number 8 comes from RFC 792, which was published 1981. The new number comes from RFC 1812, which was published 1995. > > While I don't see any meaningful vectors right now this could > potentially make amplification DoS easier, no? I don't think so. When sending packets smaller than 576 - 20 - 8, you get a byte amplification of 8 bytes. Please note that IPv6 already reflects as much as fits in a single packet. So this is not something completely new... Best regards Michael > > -- > Maxim Konovalov > ___ svn-src-all@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
Re: svn commit: r336465 - in head/sys/netinet: . tcp_stacks
Hi Randall, On Wed, 18 Jul 2018, 22:49-, Randall Stewart wrote: > Author: rrs > Date: Wed Jul 18 22:49:53 2018 > New Revision: 336465 > URL: https://svnweb.freebsd.org/changeset/base/336465 > > Log: > Bump the ICMP echo limits to match the RFC > [...] Just wonder, are there any practical reasons to do that? While I don't see any meaningful vectors right now this could potentially make amplification DoS easier, no? -- Maxim Konovalov ___ svn-src-all@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
svn commit: r336465 - in head/sys/netinet: . tcp_stacks
Author: rrs Date: Wed Jul 18 22:49:53 2018 New Revision: 336465 URL: https://svnweb.freebsd.org/changeset/base/336465 Log: Bump the ICMP echo limits to match the RFC Reviewed by: tuexen Sponsored by: Netflix Inc. Differential Revision:https://reviews.freebsd.org/D16333 Modified: head/sys/netinet/ip_icmp.c head/sys/netinet/tcp_stacks/rack.c Modified: head/sys/netinet/ip_icmp.c == --- head/sys/netinet/ip_icmp.c Wed Jul 18 22:45:45 2018(r336464) +++ head/sys/netinet/ip_icmp.c Wed Jul 18 22:49:53 2018(r336465) @@ -139,8 +139,8 @@ static VNET_DEFINE(int, icmp_rfi) = 0; SYSCTL_INT(_net_inet_icmp, OID_AUTO, reply_from_interface, CTLFLAG_VNET | CTLFLAG_RW, _NAME(icmp_rfi), 0, "ICMP reply from incoming interface for non-local packets"); - -static VNET_DEFINE(int, icmp_quotelen) = 8; +/* Router requirements RFC 1812 section 4.3.2.3 requires 576 - 28. */ +static VNET_DEFINE(int, icmp_quotelen) = 548; #defineV_icmp_quotelen VNET(icmp_quotelen) SYSCTL_INT(_net_inet_icmp, OID_AUTO, quotelen, CTLFLAG_VNET | CTLFLAG_RW, _NAME(icmp_quotelen), 0, Modified: head/sys/netinet/tcp_stacks/rack.c == --- head/sys/netinet/tcp_stacks/rack.c Wed Jul 18 22:45:45 2018 (r336464) +++ head/sys/netinet/tcp_stacks/rack.c Wed Jul 18 22:49:53 2018 (r336465) @@ -1627,7 +1627,6 @@ rack_process_rst(struct mbuf *m, struct tcphdr *th, st static void rack_challenge_ack(struct mbuf *m, struct tcphdr *th, struct tcpcb *tp, int32_t * ret_val) { - INP_INFO_RLOCK_ASSERT(_tcbinfo); TCPSTAT_INC(tcps_badsyn); @@ -6103,7 +6102,6 @@ rack_do_lastack(struct mbuf *m, struct tcphdr *th, str return (ret_val); } if (ourfinisacked) { - INP_INFO_RLOCK_ASSERT(_tcbinfo); tp = tcp_close(tp); rack_do_drop(m, tp); ___ svn-src-all@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"