Bugtraq mailing list archives
Re: Broken PMTUD in FreeBSD?
From: Mikael Olsson <mikael.olsson () clavister com>
Date: Tue, 11 Jun 2002 16:34:20 +0200
Phil Dibowitz wrote:
[FreeBSD doesn't set DF in SYN/ACK] I don't consider this a big security hole, but it is a bug. It could be used to do TCP fingerprinting, and it also breaks a standard
Is this really a bug? I wouldn't be so sure. What is the purpose of setting DF in a SYN/ACK segment ? It's not like it can react to returned ICMP errors and decrease the size of segment (only 40 bytes of IP and TCP header and a few options). I'd even argue that it's a feature. If something has an MTU that is so small that it can't pass TCP segments without data, there's nothing to be done about it, and you should let fragmentation occur. The fingerprinting point is sort of valid, I guess. However, since there are already BSD boxes out there doing this, the fingerprint value would be even greater (the fingerprint match more narrow) if one were to change it now. -- Mikael Olsson, Clavister AB Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden Phone: +46 (0)660 29 92 00 Mobile: +46 (0)70 26 222 05 Fax: +46 (0)660 122 50 WWW: http://www.clavister.com "Senex semper diu dormit"
Current thread:
- Broken PMTUD in FreeBSD? Phil Dibowitz (Jun 10)
- Re: Broken PMTUD in FreeBSD? Jean-Yves Lefort (Jun 11)
- Re: Broken PMTUD in FreeBSD? Phil Dibowitz (Jun 12)
- Re: Broken PMTUD in FreeBSD? Mikael Olsson (Jun 11)
- Re: Broken PMTUD in FreeBSD? Jean-Yves Lefort (Jun 11)