Broken PMTUD in FreeBSD?

From: Phil Dibowitz (webmasterat_private)
Date: Mon Jun 10 2002 - 12:52:56 PDT

Next message: Felix Lindner: "Re: Three possible DoS attacks against some IOS versions."

Previous message: bugzillaat_private: "[RHSA-2002:089-07] Relaxed LPRng job submission policy"
Next in thread: Jean-Yves Lefort: "Re: Broken PMTUD in FreeBSD?"
Reply: Jean-Yves Lefort: "Re: Broken PMTUD in FreeBSD?"
Reply: Mikael Olsson: "Re: Broken PMTUD in FreeBSD?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[Note: I accidentally posted this last week from the wrong email address. It's
probably sitting in queue somewhere - but since it hasn't come through yet,
I'm sending it from the correct address, I'm sorry if you get this twice]

[Note2: Dave A., since I haven't heard back from you, I'm assuming this is OK
to post.]

Bugtraqers,

BUG OVERVIEW
I believe there is a bug in the PMTUD (Path MTU Discovery) implementation in
FreeBSD. According to RFC 1191, when using PMTUD all TCP datagrams must have
the Don't Fragment (DF) bit set. It seems that FreeBSD does not fully obey
this rule. On "SYN ACK" packets, the DF bit is not set. It is set on all other
packets though (including SYN packets). The details are below - I have been
unable to find any reason for this behavior, but if someone can explain a
reason for this other than it being a bug, wonderful, you're smarter than I am! =)

NOTIFICATION
My friend Richard van den Berg, who originally found the bug, posted to the
FreeBSD mailing list on April 21, 2002. The post can be found here:
http://docs.freebsd.org/cgi/getmsg.cgi?fetch=9182+0+archive/2002/freebsd-net/20020428.freebsd-net

That's a month and a half of notice. We received no response either on the
list or in person.

SEVERITY
I don't consider this a big security hole, but it is a bug. It could be used
to do TCP fingerprinting, and it also breaks a standard (which makes
troubleshooting PTMUD Blackholes a little more difficult, something Richard
and I do as part of the MSS Initiative[1]).

DETAILS
I have made available packet sniffer logs of both sides of a test at the
following locations.
http://home.earthlink.net/~jaymzh666/mss/snoop-log-solaris-to-bsd.gz
http://home.earthlink.net/~jaymzh666/mss/tcpdump-log-bsd-to-solaris.gz

The test systems were as follows:
$ uname -a
SunOS mort 5.9 s81_57 sun4u sparc SUNW,Sun-Blade-100
$ uname -a
FreeBSD trantor.xs4all.nl 5.0-CURRENT FreeBSD 5.0-CURRENT #6: Mon Apr 15
20:16:39 MET DST 2002
paulzat_private:/usr/obj/usr/source/src/sys/trantor i386

If I can provide any more information, or if you have any light to shed on
this topic, please feel free to let me know.

[1] MSS Initiative: http://home.earthlink.net/~jaymzh666/mss/

Sincerely,
Phil Dibowitz
--
Insanity Palace of Metallica
http://www.ipom.com
webmasterat_private
--

Next message: Felix Lindner: "Re: Three possible DoS attacks against some IOS versions."
Previous message: bugzillaat_private: "[RHSA-2002:089-07] Relaxed LPRng job submission policy"
Next in thread: Jean-Yves Lefort: "Re: Broken PMTUD in FreeBSD?"
Reply: Jean-Yves Lefort: "Re: Broken PMTUD in FreeBSD?"
Reply: Mikael Olsson: "Re: Broken PMTUD in FreeBSD?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Jun 10 2002 - 19:20:13 PDT