lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20041017132905.R88652@dekadens.coredump.cx>
From: lcamtuf at coredump.cx (Michal Zalewski)
Subject: [SPAM] Your daily internet traffic report

On Sun, 17 Oct 2004, Dave Horsfall wrote:

> To those who seek to block ICMP, I say: "Let them."  I'm sure that a
> certain Mr. Charles Darwin will soon sort them out.

What if I just don't set DF on my outgoing traffic, and block incoming
ICMP?

PMTUD is a silly mechanism in that it tends to rely on _diagnostic_
messages that were sometimes blocked for security reasons even before it
was first proposed; and that ohne kludges, it breaks spectacularly and
offers no easy recovery if these messages are blocked. The RFC said:

   The Internet Protocol is not designed to be absolutely reliable.  The
   purpose of these control messages is to provide feedback about
   problems in the communication environment, not to make IP reliable.
   There are still no guarantees that a datagram will be delivered or a
   control message will be returned.

Clearly indicating that it is a bad idea to rely on ICMP responses as
absolutely essential for higher-order to protocols work well. Furthermore:

      Another case is when a datagram must be fragmented to be forwarded
      by a gateway yet the Don't Fragment flag is on.  In this case the
      gateway must discard the datagram and may return a destination
      unreachable message.

Notice "may". I do not even violate RFC by not sending back "fragmentation
required but DF set" messages.

This is why DF is often cleared by commercial NAT firewalls, proxies and
so forth - to ensure reliability, rather than some added performance.

-- 
------------------------- bash$ :(){ :|:&};: --
 Michal Zalewski * [http://lcamtuf.coredump.cx]
    Did you know that clones never use mirrors?
--------------------------- 2004-10-17 13:29 --

   http://lcamtuf.coredump.cx/photo/current/


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ