[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: linux-ipsec: cornered: MTU and fragmentation bugs



[ NOTICE!  This list will be hosted at lists.tislabs.com as of March 26.
There is no need to resubscribe, if you are on the list, you will remain
on it.  Just begin sending posts, and any administrative requests to
lists.tislabs.com as of now.  List mail to tis.com will cease to be
delivered as of March 26, 1999.  ]

-----BEGIN PGP SIGNED MESSAGE-----

> > I'm surprised that the Linux kernel (2.0) is not sending ICMP
> > "fragmentation required and DF set" responses.  I hope this is fixed
> 
> I am not aware of any circumstances where Linux does not generate
> the appropriate messages. I think people would have noticed before
> two years ago if it was doing this wrong.
> 
> viz..
> 
> 		if (skb->len+encap > dev2->mtu && (iph->frag_off & htons(IP_DF))) 
> 		{
> 			ip_statistics.IpFragFails++;
> 	.....
> 		 		ip_send(rt,skb2,raddr,skb->len,dev2,dev2->pa_addr);

Where is this code from?  I assume ip_forward()?  If so, I found the
ICMP message call that I think you intended to reference, but I don't
quite know why you quoted the ip_send() above...

Can it always be assumed that ip_fragment is called after checking DF?
ip_fragment() is not exclusively called from ip_forward().

The place John Denker speaks of is in ip_fragment.  If a packet is
sent to ip_fragment() (such as at the end of ip_output()) without
checking DF, then the packet gets dropped silently.

> > 4) Heretofore linux has not generated these frag-needed messages.  I
> > consider this a weakness in linux.  I have a patch for this, as mentioned
> > in previous notes.
> 
> No patch ever seen.

In case you didn't get it:

*** ip_fragment.c.old   Tue Mar 23 17:22:41 1999
- --- ip_fragment.c       Tue Mar 23 17:24:34 1999
***************
*** 685,692 ****
- --- 685,693 ----
        if (iph->frag_off & htons(IP_DF))
        {
                ip_statistics.IpFragFails++;
                NETDEBUG(printk("ip_queue_xmit: frag needed\n"));
+
icmp_send(skb,ICMP_DEST_UNREACH,ICMP_FRAG_NEEDED,htons(dev->mtu)
, dev); /* jsd */
                return;
        }
  
        /*


> > 5) What's worse, there are some firewalls (the Firewall-One brand in
> > particular, and quite likely others) that in their usual configuration do
> > not pass these ICMP frag-needed datagrams.  I consider this a weakness in
> > the firewalls.  This is a pain in the neck to fix.
> 
> It isnt the products, its the morons who install them. They have basically
> made the internet a 1500 mtu fixed size network. If you attempt to reason
> with the people who paid stupid amounts of money to have a 'highly certified
> security consultant' install it they know they paid $30K so even if they are
> wrong they'd get fired by their boss if they admitted it.
> 
> It is perfectly possible to correctly install these products.

How easy will it be to fix this critical mass?

> > Solution #1 (ideal):  Fix linux and fix the firewalls so that ICMP
> > frag-needed messages are returned to servers who depend on them.  This
> > results in maximum efficiency.
> 
> I've no evidence from the past two years to believe Linux does this wrongly.

That doesn't mean it doesn't exist...  I'm still trying to verify
it...

> Alan

	slainte mhath, RGB
- -- 
Richard Guy Briggs -- PGP key available                Auto-Free Ottawa! Canada
rgb at conscoop dot ottawa dot on dot ca            <http://www.flora.org/afo/>
<http://www.conscoop.ottawa.on.ca/>   FreeS/WAN:<http://www.flora.org/freeswan>
Please send all spam to root@127.0.0.1   Marillion:<http://www.marillion.co.uk>

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv

iQCVAwUBNvqch9+sBuIhFagtAQHXGAQAhVeLYTC9/R/bYVQd57pC9E72IceKL0B8
w7Ke7ic0M7qdQ7+5FiNbiEAqFNnCBEe+qYaxgdlT/rnHN4ULrQnWY3oSsft6GVnb
9wWqZjvd6bFBaIGhqp59Ey0TMnetxesX4493y1CHs/oknje6iqTZIW0rdJpGhWRR
C1CJw7rrws4=
=VpnN
-----END PGP SIGNATURE-----


Follow-Ups: References: