Slashdot Mirror
MSS Initiative Makes Progress
Phil writes "The MSS Initiative was started by Richard van den Berg and myself to combat sites that are broken (enable Path MTU Discovery AND block ICMP 3,4) which include such big sites as SecurityFocus and CERT (causing those behind PPPoE and other less-than-1500-MTU-protocols to be unable to view the sites). This past week we were priveleged enough to be able to present a paper at the 16th LISA Systems Administration Conference! Check out the paper and slides and be sure, like many members of the audience, to fix the sites you administer!"
Both sites work with me. I have an MTU of 1492 and PPPoE.
But if he says so, then I won't access them, due to the 'problem'...
But my Mom says I'm cool! -Milhouse
MTU: Maximum Transfer Unit.
This is the maximum number of bytes that your computer will send out in a packet. This should be set according to what your connection can handle. For ethernet this should be set to 1500. For PPPoE links this should be set to 1492.
MSS: Maximum Segment Size.
This is used in negotiating what the MTU of a connection between two hosts will be. Essentially this is saying "please don't send me packets bigger than X." This should typically be set to 40 less than your MTU to allow room for headers.
...see the redundancy of creating a blacklist for networks you can't reach to begin with?
Actually, according to conventional wisdom, the majority of network admins and the world in general, (oh, and TCP/IP Illustrated 2nd Edition):
MTU: Maximum Transmission Unit.
I have no idea where the MSS people got "transfer" from.
Janie took my gun...
The PDF of the paper refuses to render with any Ghostscript derived viewer.
It sure would be nice if those who wish to cast stones would make sure their own position is clean.
That said, I've had to ding webmasters about having their routers set up to block packets with explicit congestion notify set - that is now an accepted part of TCP/IP, and failing to accept packets with ECN set is a violation of the standard.
www.eFax.com are spammers
This problem is way to technical to explain to most sysadmins. Expecting them to fix it after a kind notification seems naive at best. Instead focus on firewall product manufacturers. In many cases sysadmins just use some sort of generated rules from some firewall product or duplicate sections of howto's. if you make sure the generated stuff is ok and the howto's & manuals don't misinform the sysadmins, there's a lot to gain.
Jilles
MTU has turned into the bane of my existence, between atm header problems, VPN's which can't have their packets fragmented without blowing up their crc's, and voice and video apps over low speed links adjusting the MTU down isn't an option anymore, many times it is required. Maybe a site here or there won't display, but usually its downloads that die, like a norton update for example. If I reset the mtu back to 1500 then the vpn's drop and voice develops jitter or drops (using a vovpn as an example)but everyone can download their updates (and of course more importantly their mp3's.) My point is that allowing your ftp server to service a packet at 750 won't kill you or your server. How much overhead do you add by sending two packets at 750 over one at 1500 and how much bandwidth will you save? Until this problem completely disappears I will keep a copy of DR. TCP on my laptops, I believe you can free copies of it from Cisco (might need to be registered)
I didn't think anybody used LISA's anymore ;-)
Anybody know what LISA stands for ?
beauty is only a light switch away
Why on earth do idiots feel the need to bastardize everything. This whole thing is about PPOE not MTU size. The better solution is to get rid of the bastardization (PPOE) .
Got Code?
The linked paper seems to be broken, and I'm feeling rather lost in this sea of acronyms...
The PDF on this mirror seems to work.
-------
Warning: Slashdot may contain traces of nuts.
There needs to be more awareness in the internet world about not breaking some of the underlying technologies. What the authors are talking about is sites with fuckheaded admins who blindly block all ICMP traffic with their firewalls.
Path Maximum Transmission Unit Discovery, ICMP type 3 code 4, is sent to an IP stack telling it to send smaller IP packets so the packets don't get fragmented along the way. When nearly 75% of broadband users in Europe are forced to use PPPOE, they count on a working PMTUD message making things work.
There is a workaround, called MSS clamping, built into Roaring Penguin PPPOE (great software, guys!) which tweaks the TCP stack for web traffic. Unfortunately, it breaks all kinds of other traffic which doesn't expect the MSS to change.
So this paper is a good start to informing network admins there is no security risk in allowing some types of ICMP traffic. MSS clamping and PMTUD problems were a main topic of coffee break discussions at the last RIPE meeting. Now it remains to convince the firewall manufacturers to change their defaults so that they aren't breaking more and more of the internet. Adding this information to Firewall-HOWTOs would also be a good idea.
the AC
Hemos is like...sci-fi fans;he thinks technology is cool, but he hasn't bothered to understand the science it's based on
And here is a mirror for the slides.
-------
Warning: Slashdot may contain traces of nuts.
Also, the PDF seems to be broken. It won't display on my system. (Anyone else have that problem?)
Overall, pretty impressive.
The version on the USENIX site seems at least to have the correct spelling in the title, but you need a password to download the PDF there.
Patrick Doyle
I mod down every jackass who puts his moderation policy in his sig. Oh, wait a sec....
Or, you know..those using PPPoE. Sounds like a pretty incorrect setup to me.
--- What
If the packet size is less than 1458 then Cisco Express Forwarding is used to forward the packet to its destination, whilst above 1458 the hardware will inspect the packet, make a number of descsions and then forwarded it.
thank God the internet isn't a human right.
Assuming you use your linux machine as a router there is a solution. Using a recent distro/kernel there should be an ipt_TCPMSS module available. Running iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss -to-pmtu "does the trick" of adjusting packet sizes. Sites like CERT, SecurityFocus or GMX.de are accessible then.
Further readings here and here.
Just noticed this in the netfilter section of linux config file:
Don't know about you but myself I can't remember actually using this nf option... ;-)
Maybe the reason is I always let the ICMP packets go
Any thoughts about those other dangers of blocking ICMP3,4 ?
I had problems with this a few years ago when setting up Linux NAT machines for people on local networks. I was trying to tune PPP by adjusting MTU for various dialups for what I thought would be a more efficient setting. Problem though is the machines behind the NAT box are ethernet and tuned for different values. Shortly after I started noticing I could not reach various sites from the masq'd machines but worked fine directly from the NAT box. Knowing I had recently been messing with the PPP options I searched Google and found the different MTU to be the cause. Maybe the dialup users you speak of were directly connected?
Bad boys rape our young girls but Violet gives willingly.
As a frequent visitor of www.xyz.com...
:)
:)
The companies they mail must be seriously confused as to what this has to do with their site...
Jokes aside, that "frequent visitor" phrase is nice, and _may_ help getting their message through to the right persons.
But probably not - and it is lying (which is easy to deduce when visiting their site - the url is given in the same mail). Pretending to be a regular visitor may hurt these guys in the long run, even if they do stuff for a good cause... I don't know if they do, I read the explanations and still couldn't figure out if this was something worth bothering about.
The paper wouldn't open for me either. I'm running Acrobat 4.0 on Win95 (hey, it's fast, dude). Someone can probably advise him on saving it in compatible mode or something like that.
One simple rule for its versus it's
I think it's utopic to think one can fix so many's ISPs problems. It's like closing open relays, even with big real-time blocking lists, a lot still slip thru.
A good paper explaining MTU/MSS is on Cisco. If your ISP can't just 'adjust-mss' on his router, either he will fragment a lot and drop the DF (don't fragment) packets, or you will have to use Dr TCP to fix the MTU on your side.
have you been defaced today?
For PPPoE links this should be set to 1492.
4 /
u r_Modem_with_MTU_and_MRU.html
Sometimes. Sometimes less. I actually ran into this problem with my old DsL connection; I couldn't reach the "My Yahoo" series of sites, of all places. I don't know about a full-blown academic paper on the subject, but here are a couple of references you might find useful if you're on PPPoE and you find sites mysteriously unreachable:
windows : http://www.winguides.com/registry/display.php/110
Linux: http://www.linuxnewbie.org/nhf/Modems/Tweaking_Yo
Basically, what you do is ratchet down the MTU until you can see the sites you weren't able to before. It might only need to be reduced to 1492; maybe lower, though.
These were both near the top of the google list for their respective searches; dozens more are obviously available through the same proceedure.
If you don't use PPPoE and want to test some of these theories, you can try a "ifconfig eth0 mtu 1400" where eth0 is your network connection.
put the what in the where?
Please help me understand this initiative by not making up words. Yes, I can guess the meaning, but if that's the purpose (i.e. to keep the audience guessing) then why not just post random text? If the goal is to demonstrate you k3wlne55, then post in haCk15h. If the goal is to convey an idea, sway public opinion, convince a group of skeptics, form a consensus, and ultimately, build a coalition, you might want to consider restricting your phraseology to a more mainstream subset of English.
This is only a suggestion.
The Russians have won. They have made the world a cesspool of distrust, greed, fear and hate.
Astonishingly, the paper neglected to mention the best solution for site admins that I have yet seen for the problem -- rate limiting as a protection from DoS attacks. Cisco describes their implementation of this at http://www.cisco.com/warp/public/63/car_rate_limit _icmp.html. I don't know how widespread router vendor support for this is, but the concept is spot-on.
If behaviors which are normally both legal and helpful can turn deadly when they take on a certain pattern then don't blanketly prohibit the behavior, identify when that pattern is developing and then cut it off. Wasn't that the whole concept behind stateful packet inspection anyways?
Got the latest M$ XP Pro, and Adobe...
I wish people wouldn't do this. You don't "have Adobe" any more than you "have the Internet" or something similar.
I'd guess from the context that you're talking about Acrobat Reader. Unfortunately, people also use the term "I've got Adobe" to refer to Photoshop.
Granted, the origin of all this was companies, not consumers, with people like Microsoft and Netscape putting their company names into their product name, but it's confusing, and it's consumers that are keeping it going.
May we never see th
I think the arrogant jerks that violate the rules of internet RFCs should be outed or blacklisted.
Okay, maybe my feelings are a little less strong, but I feel frusteration about this as well. However...
Boo to arrogant linux-bsd-oriented self appointed security experts.
What in God's name does this have to do with Linux or BSD? If anything, I find overzealous network admins to be more frequently Windows-oriented (let's block random attachments because they might contain executables that are easy to execute with our company's default mailer!).
Actually, I'd like to see more network admins handle ECN. It's been around in Linux for a while now, and it helps everyone, and network admins are doing jack and shit about it.
What we need is MS to put out a new OS with ECN support so that network admins fix their routers/firewalls.
May we never see th
Actually no, I had this problem at one point when I set the MTU on my internal LAN to a lower value than my Linux-powered NAT box. There is no reason I should not be allowed to do this, it doesn't break any protocols. However suddenly all those silly sites that block ALL icmp traffic instead of just echo-request/reply wouldn't let me access them because the fragmented packets weren't being negotiated properly. ICMP exists for a reason, and disabling it is a BAD IDEA.
Jeremy
Just got back from LISA, where all the good presentations were double-booked and the CD-ROM of the slides cost another couple hundred over and above the $695 (Usenix member's price!) for the conference itself. I don't think I'll be going to the next one -- not if they don't at least include an electronic copy of the procedings.
/. Let's do Dan Klein on "Constitutional and Financial Arguments Against Spam" next.
Saw the blurb in the LISA program (it appeared as "Overzealous Security Administrators Are Breaking the Internet" -- sheah, right, let's put six exclamation points on it) but had no idea what it was about until I got to this article.
Score one for
"Ain't no right way to do a wrong thing."
I think the arrogant jerks that violate the rules of internet RFCs should be outed or blacklisted.
You are absolutely right. Everyone using PPPoE should be banned from using the Internet. PPPoE is a _COMPLETELY_ broken protocol. If enough sites refuse to service people using such a cracked protocol, then maybe it will go away. In fact, I am going to go misconfigure the sites that I administer to make sure that they do not work with PPPoE.
I will not let anyone I know use PPPoE. I have advised every single one of them to get cable modems with DHCP instead.
The telephone companies are the only ones pushing PPPoE. Do we really want a bunch of morons who can't run an analog phone network dictate how the Internet operates? Just about everyone in my family has worked for a Telco, and frankly, I would not let any of them near a computer even if my life depended on it.
PPPoe is here and now and growing EVERY DAY, as people lose the ability and right to have static IP or long DHCP leases.
The "right" to have a static IP? I do not even know what that means. As for long DHCP leases, how about this for an idea, short DHCP leases!
PPPoE is a hack and it should die a horrible death. If you want to use the Internet, get a real internet connection or go back to using AOL.
-sirket
People also use "iso", "rs" and "ansi" for "ISO 9660", "EIA RS-232", and "ANSI X3.64", respectively.
I guess that the name of the standards organization should be enough. No need for these pesky numbers.
Stop worrying about the risks of nuclear power and start worrying about the risks of not using nuclear power.
It corresponds to the maximum packet size for Ethernet.
Mea navis aericumbens anguillis abundat
> PPPoe is here and now and growing EVERY DAY, as people lose the ability and right ot have static IP or long DHCP leases.
Since when was a static IP address a right?
I think that before you could decide that everyone had a right to a static IP address, you should count the people in the world, and the total number of possible IPv4 IP Addresses.
I think it's more like it's everyone's responsibility to not use a static IP unless they really need it, at least until IPv6 is the standard on the net..
Of course, by then, we will have suffered an ice age, been blasted with raidiation from having the magnetic poles disapear, and watched civilization collapse due to the Y10k problem....so static IP addresses probably wont be top on everyone's mind...
Advanced users are users too!
It's a fairly arbitrary decision. The minimum packet size can be derived from collision detection scheme used by Ethernet and the maximum length of an Ethernet segment. The maximum size is a compromise between efficiency, network latency and keeping the memory allocated to packet buffers to an affordable size. DIX Ethernet (10 Megabit/Sec) was scaled up from experimental Ethernet (3 Megabit/Sec), which limited packet size to approx. 4000 bits. See the original papers by Metcalfe and Boggs.
Mea navis aericumbens anguillis abundat
They give out static IP addresses and allow those who know how to do it and can keep their boxen patched the ability to run servers. They even have their own game server too! How cool is that?
Sorry about those in the other 49 states...PPPoE sucks.
Knowledge is power. Knowledge shared is power multiplied.