Slashdot Mirror

← Back to Stories (view on slashdot.org)

MSS Initiative Makes Progress

Posted by ryuzaki0 on from the doctor-heal-theyself dept.

Phil writes "The MSS Initiative was started by Richard van den Berg and myself to combat sites that are broken (enable Path MTU Discovery AND block ICMP 3,4) which include such big sites as SecurityFocus and CERT (causing those behind PPPoE and other less-than-1500-MTU-protocols to be unable to view the sites). This past week we were priveleged enough to be able to present a paper at the 16th LISA Systems Administration Conference! Check out the paper and slides and be sure, like many members of the audience, to fix the sites you administer!"

5 of 114 comments (clear)

  1. Speaking of "broken".... by wowbagger · · Score: 5, Interesting

    The PDF of the paper refuses to render with any Ghostscript derived viewer.

    It sure would be nice if those who wish to cast stones would make sure their own position is clean.

    That said, I've had to ding webmasters about having their routers set up to block packets with explicit congestion notify set - that is now an accepted part of TCP/IP, and failing to accept packets with ECN set is a violation of the standard.

    --
    www.eFax.com are spammers
  2. Thank You by w1r3sp33d · · Score: 5, Interesting

    MTU has turned into the bane of my existence, between atm header problems, VPN's which can't have their packets fragmented without blowing up their crc's, and voice and video apps over low speed links adjusting the MTU down isn't an option anymore, many times it is required. Maybe a site here or there won't display, but usually its downloads that die, like a norton update for example. If I reset the mtu back to 1500 then the vpn's drop and voice develops jitter or drops (using a vovpn as an example)but everyone can download their updates (and of course more importantly their mp3's.) My point is that allowing your ftp server to service a packet at 750 won't kill you or your server. How much overhead do you add by sending two packets at 750 over one at 1500 and how much bandwidth will you save? Until this problem completely disappears I will keep a copy of DR. TCP on my laptops, I believe you can free copies of it from Cisco (might need to be registered)

  3. Re:Better yet get rid of PPOE by Ektanoor · · Score: 3, Interesting

    And what do you offer in exchange? Raw Ethernet? Sorry but that's overbastardization for some tasks. You ignore that virtual networks, private networks and several security tasks need such things as PPOE, VPN, PPTP and alikes. However there is a price to pay. In the case of PPOE it is a logical price as you need to low the MTU of the inner package so that the whole thing fits into a classical 1500 byte data envelope and the host will not break his head with oversized datapacks. If no one gets the idea why this should be done, then it is him who's the idiot and not the protocol. And if one doesn't get the idea why such kind of protocols exist than better RTFM a little before calling others idiots. A lot of my colleagues use virtual networks for tons of tasks as solving things in a single raw physical basis is becoming near to impossible today. It is becoming overexpensive and risks are getting bigger and bigger.

  4. Re:education is not a solution by Mark+Bainter · · Score: 3, Interesting
    You aren't very specific here. If you're talking about people who are Microsoft Admins (which imo don't qualify for the term "sysadmin" in large part) then maybe. Even then you're only talking about a segment of the group...arguably a large one, but still a segment. There are still some MS admins with a clue.

    If you're talking about (real|unix) sysadmins then I think you're probably way off base. Or at least I certainly hope so. If you're right, then we've had some serious degeneration going on. I've got a rather cynical view as it is considering the number of clueless people I run into even on the unix side but the majority I meet still do know what the hell they're talking about. And few if any would just use some pre-defined firewall ruleset, and even fewer would be unable to understand a request of this nature.

    --
    "No nation could preserve its freedom in the midst of continual warfare."
    --James Madison
  5. Re:People who violate the rules of RFCs are JERKS by 0x0d0a · · Score: 4, Interesting

    I think the arrogant jerks that violate the rules of internet RFCs should be outed or blacklisted.

    Okay, maybe my feelings are a little less strong, but I feel frusteration about this as well. However...

    Boo to arrogant linux-bsd-oriented self appointed security experts.

    What in God's name does this have to do with Linux or BSD? If anything, I find overzealous network admins to be more frequently Windows-oriented (let's block random attachments because they might contain executables that are easy to execute with our company's default mailer!).

    Actually, I'd like to see more network admins handle ECN. It's been around in Linux for a while now, and it helps everyone, and network admins are doing jack and shit about it.

    What we need is MS to put out a new OS with ECN support so that network admins fix their routers/firewalls.

    --
    May we never see th