Slashdot Mirror

← Back to Stories (view on slashdot.org)

MSS Initiative Makes Progress

Posted by ryuzaki0 on from the doctor-heal-theyself dept.

Phil writes "The MSS Initiative was started by Richard van den Berg and myself to combat sites that are broken (enable Path MTU Discovery AND block ICMP 3,4) which include such big sites as SecurityFocus and CERT (causing those behind PPPoE and other less-than-1500-MTU-protocols to be unable to view the sites). This past week we were priveleged enough to be able to present a paper at the 16th LISA Systems Administration Conference! Check out the paper and slides and be sure, like many members of the audience, to fix the sites you administer!"

15 of 114 comments (clear)

  1. Definitions:yeah I had no clue what MSS was either by Anonymous Coward · · Score: 5, Informative

    MTU: Maximum Transfer Unit.
    This is the maximum number of bytes that your computer will send out in a packet. This should be set according to what your connection can handle. For ethernet this should be set to 1500. For PPPoE links this should be set to 1492.

    MSS: Maximum Segment Size.
    This is used in negotiating what the MTU of a connection between two hosts will be. Essentially this is saying "please don't send me packets bigger than X." This should typically be set to 40 less than your MTU to allow room for headers.

  2. Re:Definitions:yeah I had no clue what MSS was eit by Zeddicus_Z · · Score: 3, Informative

    Actually, according to conventional wisdom, the majority of network admins and the world in general, (oh, and TCP/IP Illustrated 2nd Edition):

    MTU: Maximum Transmission Unit.

    I have no idea where the MSS people got "transfer" from.

    --
    Janie took my gun...
  3. Fixed PDF (mirror) here: by Jacco+de+Leeuw · · Score: 3, Informative

    The PDF on this mirror seems to work.

    --
    -------
    Warning: Slashdot may contain traces of nuts.
  4. Its a good start by anticypher · · Score: 5, Informative

    There needs to be more awareness in the internet world about not breaking some of the underlying technologies. What the authors are talking about is sites with fuckheaded admins who blindly block all ICMP traffic with their firewalls.

    Path Maximum Transmission Unit Discovery, ICMP type 3 code 4, is sent to an IP stack telling it to send smaller IP packets so the packets don't get fragmented along the way. When nearly 75% of broadband users in Europe are forced to use PPPOE, they count on a working PMTUD message making things work.

    There is a workaround, called MSS clamping, built into Roaring Penguin PPPOE (great software, guys!) which tweaks the TCP stack for web traffic. Unfortunately, it breaks all kinds of other traffic which doesn't expect the MSS to change.

    So this paper is a good start to informing network admins there is no security risk in allowing some types of ICMP traffic. MSS clamping and PMTUD problems were a main topic of coffee break discussions at the last RIPE meeting. Now it remains to convince the firewall manufacturers to change their defaults so that they aren't breaking more and more of the internet. Adding this information to Firewall-HOWTOs would also be a good idea.

    the AC

    --
    Hemos is like...sci-fi fans;he thinks technology is cool, but he hasn't bothered to understand the science it's based on
  5. Re:Better yet get rid of PPOE by jdh28 · · Score: 5, Informative

    I agree that PPPoE (note the 3 P's) is not the most elegant solution, but it is perfectly valid to have smaller MTUs. It is peoples' firewalls that are broken here.

    john

  6. Solution for Linux 2.4/IPFilter by 51c4r1u5 · · Score: 4, Informative

    Assuming you use your linux machine as a router there is a solution. Using a recent distro/kernel there should be an ipt_TCPMSS module available. Running iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss -to-pmtu "does the trick" of adjusting packet sizes. Sites like CERT, SecurityFocus or GMX.de are accessible then.

    Further readings here and here.

  7. Re:Don't see a problem by Nonac · · Score: 3, Informative

    It probably works for you because your machine is probably configured with a maxmtu setting of less than 1492. The problem comes when you are using path mtu discovery, not a defined maxmtu.

  8. Already known for some time ... by MaoTse · · Score: 4, Informative

    Just noticed this in the netfilter section of linux config file:

    CONFIG_IP_NF_TARGET_TCPMSS
    [snip]

    This is used to overcome criminally braindead ISPs or servers which block ICMP Fragmentation Needed packets. The symptoms of this problem are that everything works fine from your Linux firewall/router, but machines behind it can never exchange large packets:
    1) Web browsers connect, then hang with no data received.
    2) Small mail works fine, but large emails hang.
    3) ssh works fine, but scp hangs after initial handshaking.

    Don't know about you but myself I can't remember actually using this nf option...
    Maybe the reason is I always let the ICMP packets go ;-)

    Any thoughts about those other dangers of blocking ICMP3,4 ?

  9. Re:Thank You by gmack · · Score: 3, Informative

    That's not the reason why they do it. It['s usually a side affect of doing a generic block on ICMP at the firewall. The generic block seems logical to your average clueless sysadmin since now the local network is harder to flood with ICMP Pings or used to bounce them. Unfortunatly people keep forgetting that ICMP is more than just PING and TRACEROUTE.

  10. Re:Better yet get rid of PPOE by StillAnonymous · · Score: 2, Informative

    Agreed! These people that defend this protocol have probably never had the displeasure of being forced to use it. It's sole purpose seems to be to allow phone companies to micromanage the DSL connections a little more.

    The PPPoE software (client AND server side) is terrible for the most part, and it took YEARS to get them even as stable as their are now.

    For a broadband connection, it's horrible. Originally, everyone used DHCP to assign you the necessary info, but now it's all done through PPP. It's just like dial-up again, even the connection procedures! Add to that the fact that most ISPs use dynamic IP addressing and you'll get a new IP *every* time you connect (not so bad in itself, but coupled with the frequent disconnections, see terrible software above..) It's a nightmare for the end user.

    Protocols are supposed to be TRANSPARENT to the end user. PPPoE is anything but. There's a reason there's a ton of support sites to help people with it's bizarre configuration. It's a failure.

  11. Slightly OT: how to configure your MTU by rkent · · Score: 5, Informative

    For PPPoE links this should be set to 1492.

    Sometimes. Sometimes less. I actually ran into this problem with my old DsL connection; I couldn't reach the "My Yahoo" series of sites, of all places. I don't know about a full-blown academic paper on the subject, but here are a couple of references you might find useful if you're on PPPoE and you find sites mysteriously unreachable:

    windows : http://www.winguides.com/registry/display.php/1104 /

    Linux: http://www.linuxnewbie.org/nhf/Modems/Tweaking_You r_Modem_with_MTU_and_MRU.html

    Basically, what you do is ratchet down the MTU until you can see the sites you weren't able to before. It might only need to be reduced to 1492; maybe lower, though.

    These were both near the top of the google list for their respective searches; dozens more are obviously available through the same proceedure.

  12. If you don't use PPPoE by bhsx · · Score: 3, Informative

    If you don't use PPPoE and want to test some of these theories, you can try a "ifconfig eth0 mtu 1400" where eth0 is your network connection.

    --
    put the what in the where?
  13. Better references... by Anonymous Coward · · Score: 1, Informative

    Bugger what some textbook says it means, RFC1191 where "Path MTU Discovery" is defined clearly says its "Maximum Transmission Unit" -- you'd think folks campaigning to get people to follow the RFCs would read them more closely.

    And RFC791 where MTU was itself defined (among other things) also says it means "Maximum Transmission Unit."

  14. Re:Better yet get rid of PPOE - not! by Anonymous Coward · · Score: 1, Informative

    Heard the saying "just enough knowledge to be dangerous"? That's a good way to describe folks who think they need to disallow ICMP 3,4 to secure themselves from DoS attacks.

    Allowing ICMP 3,4 at your firewall does not make your site more vulnerable if have enough knowledge to do it right. See http://www.cisco.com/warp/public/63/car_rate_limit _icmp.html for a description of how to do it right.

  15. Re:Speaking of "broken".... by David+Eppstein · · Score: 2, Informative

    It's a .pdf.gz -- you have to gunzip it first. Unfortunately my browzer (Moz 1.2b) seems to think it's just .pdf and tries to open it directly in Acrobat; maybe their server is sending the wrong MIME type?