Phil Dibowitz wrote: > > [FreeBSD doesn't set DF in SYN/ACK] > > I don't consider this a big security hole, but it is a bug. It could > be used to do TCP fingerprinting, and it also breaks a standard Is this really a bug? I wouldn't be so sure. What is the purpose of setting DF in a SYN/ACK segment ? It's not like it can react to returned ICMP errors and decrease the size of segment (only 40 bytes of IP and TCP header and a few options). I'd even argue that it's a feature. If something has an MTU that is so small that it can't pass TCP segments without data, there's nothing to be done about it, and you should let fragmentation occur. The fingerprinting point is sort of valid, I guess. However, since there are already BSD boxes out there doing this, the fingerprint value would be even greater (the fingerprint match more narrow) if one were to change it now. -- Mikael Olsson, Clavister AB Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden Phone: +46 (0)660 29 92 00 Mobile: +46 (0)70 26 222 05 Fax: +46 (0)660 122 50 WWW: http://www.clavister.com "Senex semper diu dormit"
This archive was generated by hypermail 2b30 : Tue Jun 11 2002 - 08:44:26 PDT