icmp: locked mtu...

[Maxime Villard <max%m00nbsd.net@localhost>]

There is a piece of code that I don't understand in icmp_mtudisc.

1259 	if ((rt->rt_rmx.rmx_locks & RTV_MTU) == 0) {
1260 		if (mtu < 296 || mtu > rt->rt_ifp->if_mtu)
1261 			rt->rt_rmx.rmx_locks |= RTV_MTU;
1262 		else if (rt->rt_rmx.rmx_mtu > mtu ||
1263 			 rt->rt_rmx.rmx_mtu == 0) {
1264 			ICMP_STATINC(ICMP_STAT_PMTUCHG);
1265 			rt->rt_rmx.rmx_mtu = mtu;
1266 		}
1267 	}

Here the mtu is locked (RTV_MTU) if it has an incorrect value. But why do we
do this exactly? It seems easy to use this as an attack vector, because once
locked the mtu can't be increased (in the timeout). You can either set the
lowest limit and then lock it to downgrade the traffic speed on the network,
or lock it directly as soon as the target host connects to another host. In
the second case it seems that you may be able to kill the connection if the
path between the two hosts has a lower mtu than the initial one: the receiver
will send need-frag messages to the sender, but the sender will ignore them
because the mtu is locked.

If that's indeed a problem we should do:

-			rt->rt_rmx.rmx_locks |= RTV_MTU;
+			/* nothing */;

In IPv6 we don't lock the mtu; if the value is wrong we just drop the message,
which is harmless.

Maxime