Re: svn commit: r336465 - in head/sys/netinet: . tcp_stacks
On 7/19/18 9:18 AM, Maxim Konovalov wrote: On Thu, 19 Jul 2018, 08:09-0400, Michael Tuexen wrote: On 19. Jul 2018, at 03:12, Maxim Konovalov wrote: Hi Randall, On Wed, 18 Jul 2018, 22:49-, Randall Stewart wrote: Author: rrs Date: Wed Jul 18 22:49:53 2018 New Revision: 336465 URL: https://svnweb.freebsd.org/changeset/base/336465 Log: Bump the ICMP echo limits to match the RFC [...] Just wonder, are there any practical reasons to do that? In case you send encapsulated packets triggering an ICMP message you actually need more than the 8 bytes which are currently reflected. OK, let me rephrase: why do you need more than 8 bytes? It looks like it has been working rather well for 20+ years. Coming late to the game (I was away for vacation)... It's handy to have more than 8 bytes of returned payload for ICMP packets to allow for more sophisticated network health scanning metrics. Back when I worked at UUNET, we used the ICMP ECHO REQUEST packets to carry accurate timestamps for monitoring dispersion of multicast datagrams to select hosts. I know, ICMP ECHO REQUEST packets have required all payload to be returned since at least RFC 1712 - so it's not exactly the same as what is being change here... I imagine that a similar generic treatment of payload data for other ICMP type message might be handy too. -Kurt ___ svn-src-all@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
Re: svn commit: r336465 - in head/sys/netinet: . tcp_stacks
On Thu, 19 Jul 2018, 08:09-0400, Michael Tuexen wrote: > > On 19. Jul 2018, at 03:12, Maxim Konovalov > > wrote: > > > > Hi Randall, > > > > On Wed, 18 Jul 2018, 22:49-, Randall Stewart wrote: > > > >> Author: rrs > >> Date: Wed Jul 18 22:49:53 2018 > >> New Revision: 336465 > >> URL: https://svnweb.freebsd.org/changeset/base/336465 > >> > >> Log: > >> Bump the ICMP echo limits to match the RFC > >> > > [...] > > > > Just wonder, are there any practical reasons to do that? > In case you send encapsulated packets triggering an ICMP message > you actually need more than the 8 bytes which are currently > reflected. OK, let me rephrase: why do you need more than 8 bytes? It looks like it has been working rather well for 20+ years. -- Maxim Konovalov ___ svn-src-all@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
Re: svn commit: r336465 - in head/sys/netinet: . tcp_stacks
> On 19. Jul 2018, at 03:12, Maxim Konovalov wrote: > > Hi Randall, > > On Wed, 18 Jul 2018, 22:49-, Randall Stewart wrote: > >> Author: rrs >> Date: Wed Jul 18 22:49:53 2018 >> New Revision: 336465 >> URL: https://svnweb.freebsd.org/changeset/base/336465 >> >> Log: >> Bump the ICMP echo limits to match the RFC >> > [...] > > Just wonder, are there any practical reasons to do that? In case you send encapsulated packets triggering an ICMP message you actually need more than the 8 bytes which are currently reflected. The number 8 comes from RFC 792, which was published 1981. The new number comes from RFC 1812, which was published 1995. > > While I don't see any meaningful vectors right now this could > potentially make amplification DoS easier, no? I don't think so. When sending packets smaller than 576 - 20 - 8, you get a byte amplification of 8 bytes. Please note that IPv6 already reflects as much as fits in a single packet. So this is not something completely new... Best regards Michael > > -- > Maxim Konovalov > ___ svn-src-all@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
Re: svn commit: r336465 - in head/sys/netinet: . tcp_stacks
Hi Randall, On Wed, 18 Jul 2018, 22:49-, Randall Stewart wrote: > Author: rrs > Date: Wed Jul 18 22:49:53 2018 > New Revision: 336465 > URL: https://svnweb.freebsd.org/changeset/base/336465 > > Log: > Bump the ICMP echo limits to match the RFC > [...] Just wonder, are there any practical reasons to do that? While I don't see any meaningful vectors right now this could potentially make amplification DoS easier, no? -- Maxim Konovalov ___ svn-src-all@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
svn commit: r336465 - in head/sys/netinet: . tcp_stacks
Author: rrs
Date: Wed Jul 18 22:49:53 2018
New Revision: 336465
URL: https://svnweb.freebsd.org/changeset/base/336465
Log:
Bump the ICMP echo limits to match the RFC
Reviewed by: tuexen
Sponsored by: Netflix Inc.
Differential Revision:https://reviews.freebsd.org/D16333
Modified:
head/sys/netinet/ip_icmp.c
head/sys/netinet/tcp_stacks/rack.c
Modified: head/sys/netinet/ip_icmp.c
==
--- head/sys/netinet/ip_icmp.c Wed Jul 18 22:45:45 2018(r336464)
+++ head/sys/netinet/ip_icmp.c Wed Jul 18 22:49:53 2018(r336465)
@@ -139,8 +139,8 @@ static VNET_DEFINE(int, icmp_rfi) = 0;
SYSCTL_INT(_net_inet_icmp, OID_AUTO, reply_from_interface, CTLFLAG_VNET |
CTLFLAG_RW,
_NAME(icmp_rfi), 0,
"ICMP reply from incoming interface for non-local packets");
-
-static VNET_DEFINE(int, icmp_quotelen) = 8;
+/* Router requirements RFC 1812 section 4.3.2.3 requires 576 - 28. */
+static VNET_DEFINE(int, icmp_quotelen) = 548;
#defineV_icmp_quotelen VNET(icmp_quotelen)
SYSCTL_INT(_net_inet_icmp, OID_AUTO, quotelen, CTLFLAG_VNET | CTLFLAG_RW,
_NAME(icmp_quotelen), 0,
Modified: head/sys/netinet/tcp_stacks/rack.c
==
--- head/sys/netinet/tcp_stacks/rack.c Wed Jul 18 22:45:45 2018
(r336464)
+++ head/sys/netinet/tcp_stacks/rack.c Wed Jul 18 22:49:53 2018
(r336465)
@@ -1627,7 +1627,6 @@ rack_process_rst(struct mbuf *m, struct tcphdr *th, st
static void
rack_challenge_ack(struct mbuf *m, struct tcphdr *th, struct tcpcb *tp,
int32_t * ret_val)
{
-
INP_INFO_RLOCK_ASSERT(_tcbinfo);
TCPSTAT_INC(tcps_badsyn);
@@ -6103,7 +6102,6 @@ rack_do_lastack(struct mbuf *m, struct tcphdr *th, str
return (ret_val);
}
if (ourfinisacked) {
-
INP_INFO_RLOCK_ASSERT(_tcbinfo);
tp = tcp_close(tp);
rack_do_drop(m, tp);
___
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
