| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20131219.001203.1942468169345523058.davem@davemloft.net> Date: Thu, 19 Dec 2013 00:12:03 -0500 (EST) From: David Miller <davem@...emloft.net> To: hannes@...essinduktion.org Cc: johnwheffner@...il.com, netdev@...r.kernel.org, eric.dumazet@...il.com Subject: Re: [PATCH net-next] ipv4: introduce ip_dst_mtu_secure and protect forwarding path against pmtu spoofing From: Hannes Frederic Sowa <hannes@...essinduktion.org> Date: Thu, 19 Dec 2013 01:07:59 +0100 > On Wed, Dec 18, 2013 at 06:55:13PM -0500, John Heffner wrote: >> On using the interface MTU for all forwarded packets, I have a similar >> reaction as David. And why are forwarded packets more special than >> local ones, from the routing code's point of view? It seems like >> there could be other ways to harden a router, like firewall rules. > > I doubt it is trivial to set up such a filter as we have to inspect > the payload of the icmp error. I played with it and it is certainly > possible, but my intention was that the networking stack does try to > prevent fragmentation and delay generation of fragments to the last > router on the path where it is necessary. John's more important point is why treat forwarded traffic specially from that which is locally generated? -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists