lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20240326165554.541551c3@kernel.org>
Date: Tue, 26 Mar 2024 16:55:54 -0700
From: Jakub Kicinski <kuba@...nel.org>
To: Neal Cardwell <ncardwell@...gle.com>
Cc: Eric Dumazet <edumazet@...gle.com>, Paolo Abeni <pabeni@...hat.com>,
 netdev@...r.kernel.org
Subject: Re: ICMP_PARAMETERPROB and ICMP_TIME_EXCEEDED during connect

On Tue, 26 Mar 2024 23:03:26 +0100 Neal Cardwell wrote:
> On Tue, Mar 26, 2024 at 9:34 PM Jakub Kicinski <kuba@...nel.org> wrote:
> >
> > Hi!
> >
> > I got a report from a user surprised/displeased that ICMP_TIME_EXCEEDED
> > breaks connect(), while TCP RFCs say it shouldn't. Even pointing a
> > finger at Linux, RFC5461:
> >
> >    A number of TCP implementations have modified their reaction to all
> >    ICMP soft errors and treat them as hard errors when they are received
> >    for connections in the SYN-SENT or SYN-RECEIVED states.  For example,
> >    this workaround has been implemented in the Linux kernel since
> >    version 2.0.0 (released in 1996) [Linux].  However, it should be
> >    noted that this change violates section 4.2.3.9 of [RFC1122], which
> >    states that these ICMP error messages indicate soft error conditions
> >    and that, therefore, TCP MUST NOT abort the corresponding connection.
> >
> > Is there any reason we continue with this behavior or is it just that
> > nobody ever sent a patch?  
> 
> Back in November of 2023 Eric did merge a patch to bring the
> processing in line with section 4.2.3.9 of [RFC1122]:
> 
> 0a8de364ff7a tcp: no longer abort SYN_SENT when receiving some ICMP
> 
> However, the fixed behavior did not meet some expectations of Vagrant
> (see the netdev thread "Bug report connect to VM with Vagrant"), so
> for now it got reverted:
> 
> b59db45d7eba tcp: Revert no longer abort SYN_SENT when receiving some ICMP
> 
> I think the hope was to root-cause the Vagrant issue, fix Vagrant's
> assumptions, then resubmit Eric's commit. Eric mentioned on Jan 8,
> 2024: "We will submit the patch again for 6.9, once we get to the root
> cause." But I don't think anyone has had time to do that yet.

Ah.

Thank you!!

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ