lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Wed, 08 Jan 2014 01:02:13 -0500 (EST)
From:	David Miller <davem@...emloft.net>
To:	hannes@...essinduktion.org
Cc:	netdev@...r.kernel.org, eric.dumazet@...il.com,
	johnwheffner@...il.com, steffen.klassert@...unet.com,
	fweimer@...hat.com
Subject: Re: [PATCH net-next v3 1/3] ipv4: introduce ip_dst_mtu_secure and
 protect forwarding path against pmtu spoofing

From: Hannes Frederic Sowa <hannes@...essinduktion.org>
Date: Wed, 8 Jan 2014 06:02:25 +0100

> Hi David!
> 
> On Tue, Jan 07, 2014 at 07:13:14PM -0500, David Miller wrote:
>> From: Hannes Frederic Sowa <hannes@...essinduktion.org>
>> Date: Mon, 6 Jan 2014 09:48:27 +0100
>> 
>> > +ip_forward_use_pmtu - BOOLEAN
>> > +	By default we don't trust protocol path MTUs while forwarding
>> > +	because they could be easily forged and can lead to unwanted
>> > +	fragmentation by the router.
>> > +	You only need to enable this if you have user-space software
>> > +	which tries to discover path mtus by itself and depends on the
>> > +	kernel honoring this information. This is normally not the
>> > +	case.
>> > +	Default: 0 (disabled)
>> > +	Possible values:
>> > +	0 - disabled
>> > +	1 - enabled
>> 
>> You made this default to off, great, but the description text still says
>> that we don't trust PMTU information by default :-)
> 
> Hm, sorry, but I don't see the contradiction.

You say "By default we don't trust protocol path MTUs", but if the
default value of ip_forward_use_pmtu is zero, we in fact do.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ