Bugtraq mailing list archives
Re: ICMP fragmentation required but DF set problems.
From: antirez <antirez () invece org>
Date: Tue, 23 Jan 2001 21:15:21 +0100
On Mon, Jan 22, 2001 at 06:15:33PM -0500, Niels Provos wrote:
IPv6 is another case though. Here you have mandatory PMTU for all protocols.
In this case, and even with IPv4 if you want UDP PMTU API and so on, the only way seems to sign the outgoing packets with an HMAC and a local key. So you will be able to check if the quoted packet in the ICMP error was sent by your host. With IPv4 you can use the ip.id field since it's useless with the DF bit set, but a 16 bit protection is very weak. Another way may be to add a bogus IP option, since fully-standard TCP/IP stacks will ignore the option, that contains the HMAC, but unfortunatelly all kinds of firewalls will drop this packets. With IPv6 the clearest way seems a new next-header with the HMAC that provide the autentication. No key exchange is needed, you just sign your own packets to recognize it later. antirez -- Salvatore Sanfilippo | <antirez () invece org> http://www.kyuzz.org/antirez | PGP: finger antirez () tella alicom com
Current thread:
- ICMP fragmentation required but DF set problems. antirez (Jan 15)
- Re: ICMP fragmentation required but DF set problems. Ofir Arkin (Jan 16)
- Re: ICMP fragmentation required but DF set problems. antirez (Jan 16)
- Re: ICMP fragmentation required but DF set problems. Peter Mathiasson (Jan 16)
- Re: ICMP fragmentation required but DF set problems. Pavel Kankovsky (Jan 22)
- Re: ICMP fragmentation required but DF set problems. antirez (Jan 23)
- <Possible follow-ups>
- Re: ICMP fragmentation required but DF set problems. Niels Provos (Jan 23)
- Re: ICMP fragmentation required but DF set problems. antirez (Jan 23)
- Re: ICMP fragmentation required but DF set problems. Mark . Andrews (Jan 24)
- Re: ICMP fragmentation required but DF set problems. Felix von Leitner (Jan 25)
- Re: ICMP fragmentation required but DF set problems. Ofir Arkin (Jan 16)