Re: Broken PMTUD in FreeBSD?

[Mikael Olsson <mikael.olsson () clavister com>]

Phil Dibowitz wrote:
> [FreeBSD doesn't set DF in SYN/ACK]
>
> I don't consider this a big security hole, but it is a bug. It could 
> be used to do TCP fingerprinting, and it also breaks a standard 

Is this really a bug? I wouldn't be so sure. What is the purpose of
setting DF in a SYN/ACK segment ? It's not like it can react to 
returned ICMP errors and decrease the size of segment (only 40 bytes
of IP and TCP header and a few options).

I'd even argue that it's a feature. If something has an MTU that
is so small that it can't pass TCP segments without data, there's
nothing to be done about it, and you should let fragmentation occur.


The fingerprinting point is sort of valid, I guess. However, since 
there are already BSD boxes out there doing this, the fingerprint 
value would be even greater (the fingerprint match more narrow) if 
one were to change it now.

-- 
Mikael Olsson, Clavister AB
Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden
Phone: +46 (0)660 29 92 00   Mobile: +46 (0)70 26 222 05
Fax: +46 (0)660 122 50       WWW: http://www.clavister.com

"Senex semper diu dormit"