| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 19 Dec 2013 10:42:12 -0500 From: John Heffner <johnwheffner@...il.com> To: David Miller <davem@...emloft.net>, Netdev <netdev@...r.kernel.org>, Eric Dumazet <eric.dumazet@...il.com> Subject: Re: [PATCH net-next] ipv4: introduce ip_dst_mtu_secure and protect forwarding path against pmtu spoofing On Thu, Dec 19, 2013 at 7:17 AM, Hannes Frederic Sowa <hannes@...essinduktion.org> wrote: > Networking software on the end system which wants to guard against > that kind of fragmentation can do so by using the various knobs to > limit pmtu notification processing or use IP_PMTUDISC_INTERFACE to > protect itself from sending fragments. (Note, all other methods but > IP_PMTUDISC_INTERFACE have impact on all protocols, which could also > break other services on that box). But if one has a linux router without > complex icmp payload checking firewall enabled, the packets send without > DF-bit will get fragmented at the next hops if an attacker managed to > send such a spoofed pmtu notification to that router. They simply need to > traceroute the path. We should avoid that! The best practice for setting up routers usually involves separate management and forwarding interfaces. It's fairly simple to set up firewall rules in such a configuration. -John -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists