| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <33dfec52-46c0-7eca-11f3-934a99fa54cc@stressinduktion.org> Date: Thu, 4 Aug 2016 12:25:41 +0200 From: Hannes Frederic Sowa <hannes@...essinduktion.org> To: Alexander Heinlein <alexander.heinlein@...unet.com>, netdev@...r.kernel.org Cc: nicolas.dichtel@...nd.com Subject: Re: IPIP tunnel with fixed TTL but no DF bit Hello, On 04.08.2016 08:20, Alexander Heinlein wrote: > I would like to know why ip_tunnel_ioctl() enforces the DF bit whenever > the tunnel device has a fixed TTL set. The same restriction is enforced > by iproute2 (iptunnel.c and link_iptnl.c). > > Ideally I would like to use an IPIP tunnel with a fixed TTL but no DF > bit set. Otherwise for non-TCP packets that are larger than the PMTU > size the kernel will send ICMP packets to end systems. However these > ICMP packets are ignored by the end system since the original packets > didn't have the DF bit set. As a result, non-TCP packets larger than the > PMTU are being dropped. It should prevent endless loops. Imagine you have a packet looping into the tunnel again somehow because of broken network setup: the tie breaker normally is the TTL, so if it reaches zero, the packet gets dropped. You can do the same with the packet size. So you add yet another tunnel header, until you can't forward it anymore and thus drop the packet, too. If you don't use any of those tie breakers you are vulnerable to network outages. Bye, Hannes
Powered by blists - more mailing lists