At 03:43 a.m. 22/06/2005, Ed Ravin wrote:

> >3) Add a threshold or other rate-limiting to each TCP connection - after
> >NN "fragmentation needed" messages, either ignore the messages or ignore
> >the MTU size and use the internal table to drop down to the next MTU size.

An attacker could send you a stream of ICMP "fragmentation needed and DF 
bit set" error messages, and because of your rate-limiting approach, you'd 
end-up onoring the legitimate ones.
As for the approach of ignoring the Next-Hop MTU, and try the values in the 
table: what about tunnels?


--
Fernando Gont
e-mail: fernando@gont.com.ar || fgont@acm.org