Slashdot Mirror

← Back to Stories (view on slashdot.org)

MSS Initiative Makes Progress

Posted by ryuzaki0 on from the doctor-heal-theyself dept.

Phil writes "The MSS Initiative was started by Richard van den Berg and myself to combat sites that are broken (enable Path MTU Discovery AND block ICMP 3,4) which include such big sites as SecurityFocus and CERT (causing those behind PPPoE and other less-than-1500-MTU-protocols to be unable to view the sites). This past week we were priveleged enough to be able to present a paper at the 16th LISA Systems Administration Conference! Check out the paper and slides and be sure, like many members of the audience, to fix the sites you administer!"

5 of 114 comments (clear)

  1. education is not a solution by jilles · · Score: 5, Insightful

    This problem is way to technical to explain to most sysadmins. Expecting them to fix it after a kind notification seems naive at best. Instead focus on firewall product manufacturers. In many cases sysadmins just use some sort of generated rules from some firewall product or duplicate sections of howto's. if you make sure the generated stuff is ok and the howto's & manuals don't misinform the sysadmins, there's a lot to gain.

    --

    Jilles
  2. Re:Better yet get rid of PPOE by Anonymous Coward · · Score: 1, Insightful

    PPPoE may be a silly idea, but destroying path MTU discovery is WRONG. Not only PPPoE has problem with this, but anyone on a network that uses larger packets than the link to the rest of the net.

    PMTUD was made long before PPPoE, and is an integrated part of the IP protocol.

  3. Re:Better yet get rid of PPOE by Anonymous Coward · · Score: 1, Insightful

    And yet modems work without problems.

    It is PPPoE reliance (not use) on path discovery that is causing the issue here.

    It's not surprising that security sites are blocking ICMP 3,4. Allowing it potentially allows a DoS attack to be attempted with relatively low bandwidth. (Set MTU to minimum, send large amount of traffic, packet overhead increases).

    If you need that functionality in your own network, go for it. But I don't see why other should make themselves more vulnerable just because a minority are having trouble when everyone else is fine. (BTW that 70% figure sounds impressive, but keep in mind the low percentage of broadband users)

  4. Paper's missing a reference to the best solution.. by Anonymous Coward · · Score: 2, Insightful

    Astonishingly, the paper neglected to mention the best solution for site admins that I have yet seen for the problem -- rate limiting as a protection from DoS attacks. Cisco describes their implementation of this at http://www.cisco.com/warp/public/63/car_rate_limit _icmp.html. I don't know how widespread router vendor support for this is, but the concept is spot-on. If behaviors which are normally both legal and helpful can turn deadly when they take on a certain pattern then don't blanketly prohibit the behavior, identify when that pattern is developing and then cut it off. Wasn't that the whole concept behind stateful packet inspection anyways?

  5. Re:Can't read pdf by 0x0d0a · · Score: 3, Insightful

    Got the latest M$ XP Pro, and Adobe...

    I wish people wouldn't do this. You don't "have Adobe" any more than you "have the Internet" or something similar.

    I'd guess from the context that you're talking about Acrobat Reader. Unfortunately, people also use the term "I've got Adobe" to refer to Photoshop.

    Granted, the origin of all this was companies, not consumers, with people like Microsoft and Netscape putting their company names into their product name, but it's confusing, and it's consumers that are keeping it going.

    --
    May we never see th