Bugtraq mailing list archives

Re: TOS Field value in ICMP Error Messages with LINUX Kernels 2.2.x & 2.4

From: Robert Bihlmeyer <robbe () ORCUS PRIV AT>
Date: Tue, 17 Oct 2000 17:45:56 +0200

Ofir Arkin <ofir () ITCON-LTD COM> writes:

RFC 1349 states that ICMP Error messages should be
sent with TOS field value of 0x00. Nearly all stack implementations
send back 0x00 as the TOS field value when generating an ICMP error
message. All but LINUX.


There seems to be a misunderstanding about what bits comprise the "TOS
field". Specifically, you cite rfc1349 which talks about a four bit
"TOS field", which is part of the "type of service octet". Here you
seem to refer to the whole octet:

Fyodor had outlined in his paper ``Remote OS Identification by TCP/IP
Fingerprinting"   the fact that LINUX is using the value of 0xc0 (an
unused precedence value) as its TOS field value with ICMP Port
Unreachable error messages.


rfc1349 does say nothing about precedence, so the tos *octet* may as
well be non-zero.

[...]

How is the TOS field value used in the LINUX ICMP Error message is
calculated?


Essentially, what Linux does boils down to (tos denotes the whole
octet, here):

icmp_error->tos = (incoming->tos & 0x1E) | 0xC0

This is readily apparent from the source code (net/ipv4/icmp.h)

The code implements the following SHOULDs of rfc1812:

 4.3.2.5 TOS and Precedence

   ICMP error messages SHOULD have their TOS bits set to the same value
   as the TOS bits in the packet that provoked the sending of the ICMP
   error message, unless setting them to that value would cause the ICMP
   error message to be immediately discarded because it could not be
   routed to its destination. [...]  An ICMP reply message SHOULD
   have its TOS bits set to the same value as the TOS bits in the ICMP
   request that provoked the reply.

   ICMP Source Quench error messages, [...] All other ICMP error
   messages (Destination Unreachable, Redirect, Time Exceeded, and
   Parameter Problem) SHOULD have their precedence value set to 6
   (INTERNETWORK CONTROL) or 7 (NETWORK CONTROL). [...]

I hope this will clarify the subject.


Ditto,

--
Robbe

Attachment: signature.ng
Description:

Current thread:

TOS Field value in ICMP Error Messages with LINUX Kernels 2.2.x & 2.4 Ofir Arkin (Oct 15)
- Re: TOS Field value in ICMP Error Messages with LINUX Kernels 2.2.x & 2.4 Robert Bihlmeyer (Oct 17)