cvs commit: src/sys/netinet ip_icmp.c ip_icmp.h tcp_subr.c
Andre Oppermann
andre at FreeBSD.org
Thu Apr 21 07:29:34 PDT 2005
andre 2005-04-21 14:29:34 UTC
FreeBSD src repository
Modified files:
sys/netinet ip_icmp.c ip_icmp.h tcp_subr.c
Log:
Move Path MTU discovery ICMP processing from icmp_input() to
tcp_ctlinput() and subject it to active tcpcb and sequence
number checking. Previously any ICMP unreachable/needfrag
message would cause an update to the TCP hostcache. Now only
ICMP PMTU messages belonging to an active TCP session with
the correct src/dst/port and sequence number will update the
hostcache and complete the path MTU discovery process.
Note that we don't entirely implement the recommended counter
measures of Section 7.2 of the paper. However we close down
the possible degradation vector from trivially easy to really
complex and resource intensive. In addition we have limited
the smallest acceptable MTU with net.inet.tcp.minmss sysctl
for some time already, further reducing the effect of any
degradation due to an attack.
Security: draft-gont-tcpm-icmp-attacks-03.txt Section 7.2
MFC after: 3 days
Revision Changes Path
1.99 +1 -45 src/sys/netinet/ip_icmp.c
1.24 +1 -0 src/sys/netinet/ip_icmp.h
1.223 +36 -7 src/sys/netinet/tcp_subr.c
More information about the cvs-all
mailing list