tech-net archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
icmp: locked mtu...
There is a piece of code that I don't understand in icmp_mtudisc.
1259 if ((rt->rt_rmx.rmx_locks & RTV_MTU) == 0) {
1260 if (mtu < 296 || mtu > rt->rt_ifp->if_mtu)
1261 rt->rt_rmx.rmx_locks |= RTV_MTU;
1262 else if (rt->rt_rmx.rmx_mtu > mtu ||
1263 rt->rt_rmx.rmx_mtu == 0) {
1264 ICMP_STATINC(ICMP_STAT_PMTUCHG);
1265 rt->rt_rmx.rmx_mtu = mtu;
1266 }
1267 }
Here the mtu is locked (RTV_MTU) if it has an incorrect value. But why do we
do this exactly? It seems easy to use this as an attack vector, because once
locked the mtu can't be increased (in the timeout). You can either set the
lowest limit and then lock it to downgrade the traffic speed on the network,
or lock it directly as soon as the target host connects to another host. In
the second case it seems that you may be able to kill the connection if the
path between the two hosts has a lower mtu than the initial one: the receiver
will send need-frag messages to the sender, but the sender will ignore them
because the mtu is locked.
If that's indeed a problem we should do:
- rt->rt_rmx.rmx_locks |= RTV_MTU;
+ /* nothing */;
In IPv6 we don't lock the mtu; if the value is wrong we just drop the message,
which is harmless.
Maxime
Home |
Main Index |
Thread Index |
Old Index