[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: PMTU discovery for tunnels: issues 78, 49, 81



-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "Yoav" == Yoav Nir <ynir@checkpoint.com> writes:
    Yoav> For those of us who weren't there, can you please explain the 
    Yoav> situation?  What are the risks?

  I am not the best person to explain risk of PAWS with fragmentation.
  Matt said he would write something.

  Here is the summary of the discussion:

  Assume
      - very fast networks using large window TCP 
      - networks that connect them, with MTU constraints in them
      - that we ignore the DF bit and fragment anyway at the constraint,
	between dissimilar media. (9000 byte ethernet vs 1500 byte ethernet)
 
  Assume that a TCP segment gets fragmented into two pieces. The first
fragment gets lost. The second fragment stays in the end-host's queue.  Given
how fast the network is, it wraps the fragment ID several times a second. 

  So, a second packet gets fragmented in the same way, the first part arrives
and matches the queued fragment. The datagram is assembled, and if we are
lucky, it fails the TCP checksum. 
  The second part arrives, finds no first part and gets queued, and waits
for the next ID wrapping.

  However, given the speed of the connection, in short time, odds are the
TCP checksum will match, and the segment will get accepted. 

  If the PAWS does proper PMTU discovery, then this can't happen.

] Collecting stories about my dad: http://www.sandelman.ca/cjr/ |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another Debian/notebook using, kernel hacking, security guy");  [

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBP7jm34qHRg3pndX9AQFP2QP9H7JF5ox7PW7R6ika7O6FQVTzuqhRY2PN
B2/1FTt7y4R8D987+l3ZhRHuzGGkkEzTQtrJy9KE5jVwysqwpO/4jn7IPKfraZpd
EM7RFrou2euIWVlSiQz1xkvT89Otx+fv0wWfAWXzQ7rTjBFps2kz3czyNCIJUm1P
0sr8Ng701DY=
=L8F8
-----END PGP SIGNATURE-----