Re: IPSEC transport mode w/2.2.x kernels and large packets

Alan Cox (alan@lxorguk.ukuu.org.uk)
Sat, 7 Aug 1999 11:01:28 +0100 (BST)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Jes Sorensen: "partition block cleanup"
Previous message: Thomas Zimmerman: "Re: 2.3.12 - klogd 100% CPU && Bogus Buffer memory count"
Next in thread: Andi Kleen: "Re: IPSEC transport mode w/2.2.x kernels and large packets"
Reply: Andi Kleen: "Re: IPSEC transport mode w/2.2.x kernels and large packets"

> > Set the MTU to 64K
> > Set the MSS on the routers to the estimated path mtu
>
> You propose to rewrite the TCP MSS option on the routers while tunneling ?

Typo - routes

> of ICMP to avoid this potential attack? This would sound like overkill
> to me, and there would be still enough other ways to generate retry packets
> left (e.g. with TCP).

Not really.

> Also the tunnel start point has to be secured anyways, otherwise
> all the encryption wouldn't make sense. Similar for the tunnel endpoint.
>
> Or do I miss something?

The DF frames are coming from hosts that the tunnel passes through, not
from inside the tunnel. That is the problem.

Frames from the tunnel itself are protected and encrypted, but any icmp
generated by the tunnel itself are unencrypted and unsigned so cannot be
trusted

Alan

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/

Next message: Jes Sorensen: "partition block cleanup"
Previous message: Thomas Zimmerman: "Re: 2.3.12 - klogd 100% CPU && Bogus Buffer memory count"
Next in thread: Andi Kleen: "Re: IPSEC transport mode w/2.2.x kernels and large packets"
Reply: Andi Kleen: "Re: IPSEC transport mode w/2.2.x kernels and large packets"