Bugtraq mailing list archives
Broken PMTUD in FreeBSD?
From: Phil Dibowitz <webmaster () ipom com>
Date: Mon, 10 Jun 2002 12:52:56 -0700
[Note: I accidentally posted this last week from the wrong email address. It's probably sitting in queue somewhere - but since it hasn't come through yet, I'm sending it from the correct address, I'm sorry if you get this twice]
[Note2: Dave A., since I haven't heard back from you, I'm assuming this is OK to post.]
Bugtraqers, BUG OVERVIEWI believe there is a bug in the PMTUD (Path MTU Discovery) implementation in FreeBSD. According to RFC 1191, when using PMTUD all TCP datagrams must have the Don't Fragment (DF) bit set. It seems that FreeBSD does not fully obey this rule. On "SYN ACK" packets, the DF bit is not set. It is set on all other packets though (including SYN packets). The details are below - I have been unable to find any reason for this behavior, but if someone can explain a reason for this other than it being a bug, wonderful, you're smarter than I am! =)
NOTIFICATIONMy friend Richard van den Berg, who originally found the bug, posted to the FreeBSD mailing list on April 21, 2002. The post can be found here:
http://docs.freebsd.org/cgi/getmsg.cgi?fetch=9182+0+archive/2002/freebsd-net/20020428.freebsd-netThat's a month and a half of notice. We received no response either on the list or in person.
SEVERITYI don't consider this a big security hole, but it is a bug. It could be used to do TCP fingerprinting, and it also breaks a standard (which makes troubleshooting PTMUD Blackholes a little more difficult, something Richard and I do as part of the MSS Initiative[1]).
DETAILSI have made available packet sniffer logs of both sides of a test at the following locations.
http://home.earthlink.net/~jaymzh666/mss/snoop-log-solaris-to-bsd.gz http://home.earthlink.net/~jaymzh666/mss/tcpdump-log-bsd-to-solaris.gz The test systems were as follows: $ uname -a SunOS mort 5.9 s81_57 sun4u sparc SUNW,Sun-Blade-100 $ uname -a FreeBSD trantor.xs4all.nl 5.0-CURRENT FreeBSD 5.0-CURRENT #6: Mon Apr 15 20:16:39 MET DST 2002 paulz () trantor xs4all nl:/usr/obj/usr/source/src/sys/trantor i386If I can provide any more information, or if you have any light to shed on this topic, please feel free to let me know.
[1] MSS Initiative: http://home.earthlink.net/~jaymzh666/mss/ Sincerely, Phil Dibowitz -- Insanity Palace of Metallica http://www.ipom.com webmaster () ipom com --
Current thread:
- Broken PMTUD in FreeBSD? Phil Dibowitz (Jun 10)
- Re: Broken PMTUD in FreeBSD? Jean-Yves Lefort (Jun 11)
- Re: Broken PMTUD in FreeBSD? Phil Dibowitz (Jun 12)
- Re: Broken PMTUD in FreeBSD? Mikael Olsson (Jun 11)
- Re: Broken PMTUD in FreeBSD? Jean-Yves Lefort (Jun 11)