Bugtraq mailing list archives
Re: ICMP fragmentation required but DF set problems.
From: Niels Provos <provos () CITI UMICH EDU>
Date: Mon, 22 Jan 2001 18:15:33 -0500
PMTU discovery is used by TCP (primarily if not exclusively). Isn't it possible to 1. check TCP sequence numbers in ICMP frag. needed messages generated as a response to a TCP datagram (in the same way they should be checked on any ICMP dest. unreachable to prevent a trivial DoS), 2. disregard any other ICMP frag. needed message?
That's how we do it in OpenBSD in the IPv4 case. Since the ICMP has to include the IP packet + 8 bytes from the following header, you can just look up any tcb that corresponds to the quoted TCP header in the ICMP need fragment message. If you dont have such a tcb, you ignore the ICMP message. This basically reduces the attack to an adversary who can sniff your connection, but that would allow her to do all kinds of other things to your TCP connection. IPv6 is another case though. Here you have mandatory PMTU for all protocols. Niels.
Current thread:
- ICMP fragmentation required but DF set problems. antirez (Jan 15)
- Re: ICMP fragmentation required but DF set problems. Ofir Arkin (Jan 16)
- Re: ICMP fragmentation required but DF set problems. antirez (Jan 16)
- Re: ICMP fragmentation required but DF set problems. Peter Mathiasson (Jan 16)
- Re: ICMP fragmentation required but DF set problems. Pavel Kankovsky (Jan 22)
- Re: ICMP fragmentation required but DF set problems. antirez (Jan 23)
- <Possible follow-ups>
- Re: ICMP fragmentation required but DF set problems. Niels Provos (Jan 23)
- Re: ICMP fragmentation required but DF set problems. antirez (Jan 23)
- Re: ICMP fragmentation required but DF set problems. Mark . Andrews (Jan 24)
- Re: ICMP fragmentation required but DF set problems. Felix von Leitner (Jan 25)
- Re: ICMP fragmentation required but DF set problems. Ofir Arkin (Jan 16)