[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: linux-ipsec: cornered: MTU and fragmentation bugs

[ NOTICE!  This list will be hosted at lists.tislabs.com as of March 26.
There is no need to resubscribe, if you are on the list, you will remain
on it.  Just begin sending posts, and any administrative requests to
lists.tislabs.com as of now.  List mail to tis.com will cease to be
delivered as of March 26, 1999.  ]

> I'm surprised that the Linux kernel (2.0) is not sending ICMP
> "fragmentation required and DF set" responses.  I hope this is fixed

I am not aware of any circumstances where Linux does not generate
the appropriate messages. I think people would have noticed before
two years ago if it was doing this wrong.


		if (skb->len+encap > dev2->mtu && (iph->frag_off & htons(IP_DF))) 
> 4) Heretofore linux has not generated these frag-needed messages.  I
> consider this a weakness in linux.  I have a patch for this, as mentioned
> in previous notes.

No patch ever seen.

> 5) What's worse, there are some firewalls (the Firewall-One brand in
> particular, and quite likely others) that in their usual configuration do
> not pass these ICMP frag-needed datagrams.  I consider this a weakness in
> the firewalls.  This is a pain in the neck to fix.

It isnt the products, its the morons who install them. They have basically
made the internet a 1500 mtu fixed size network. If you attempt to reason
with the people who paid stupid amounts of money to have a 'highly certified
security consultant' install it they know they paid $30K so even if they are
wrong they'd get fired by their boss if they admitted it.

It is perfectly possible to correctly install these products.

> Solution #1 (ideal):  Fix linux and fix the firewalls so that ICMP
> frag-needed messages are returned to servers who depend on them.  This
> results in maximum efficiency.

I've no evidence from the past two years to believe Linux does this wrongly.


Follow-Ups: References: