Subject: Re: Patch for timiting TCP MSS (i.e. for new PPPoE)
To: Rick Byers <rb-netbsd@BigScaryChildren.net>
From: Steven M. Bellovin <email@example.com>
Date: 12/03/2001 12:18:56
In message <Pine.NEB.4.33.0112031151580.4384-100000@Apenheul.BigScaryChildren.n
et>, Rick Byers writes:
>On Mon, 3 Dec 2001, Martin Husemann wrote:
>> Which still means you have to do it for each and every machine behind a
>> pppoe router. It's hard to cope from our understanding of standards
>> conformance, but we *realy* need a MSS clamping option for routers!
>> I've been dealing with completely clueless firewall admins at a client
>> for a few weeks now and just punted.
>I definantly agree. Mike Pelley <firstname.lastname@example.org>, is implementing
>in-kernel MSS clamping. Anyone know if other OSes handle this directly in
>the TCP stack? Since the problem applies to more than just PPPoE
>connenctions, and more than just ipnat setups - it makes sense to me to
>upport MSS clamping in the TCP stack directly. However, I'm not aware of
>any other OS that does this.
Routers shouldn't tinker with MSS's. If nothing else, that won't work
for non-TCP protocols or in the presence of IPsec. The right answer is
PMTU, and routers that see a small outbound link should emit the proper
packet. In particular, PPPoE routers tend to be user premises
gateways, which should allay any security concerns.
--Steve Bellovin, http://www.research.att.com/~smb
Full text of "Firewalls" book now at http://www.wilyhacker.com