Slashdot Mirror

← Back to Stories (view on slashdot.org)

MSS Initiative Makes Progress

Posted by ryuzaki0 on from the doctor-heal-theyself dept.

Phil writes "The MSS Initiative was started by Richard van den Berg and myself to combat sites that are broken (enable Path MTU Discovery AND block ICMP 3,4) which include such big sites as SecurityFocus and CERT (causing those behind PPPoE and other less-than-1500-MTU-protocols to be unable to view the sites). This past week we were priveleged enough to be able to present a paper at the 16th LISA Systems Administration Conference! Check out the paper and slides and be sure, like many members of the audience, to fix the sites you administer!"

18 of 114 comments (clear)

  1. Definitions:yeah I had no clue what MSS was either by Anonymous Coward · · Score: 5, Informative

    MTU: Maximum Transfer Unit.
    This is the maximum number of bytes that your computer will send out in a packet. This should be set according to what your connection can handle. For ethernet this should be set to 1500. For PPPoE links this should be set to 1492.

    MSS: Maximum Segment Size.
    This is used in negotiating what the MTU of a connection between two hosts will be. Essentially this is saying "please don't send me packets bigger than X." This should typically be set to 40 less than your MTU to allow room for headers.

  2. Re:Definitions:yeah I had no clue what MSS was eit by Zeddicus_Z · · Score: 3, Informative

    Actually, according to conventional wisdom, the majority of network admins and the world in general, (oh, and TCP/IP Illustrated 2nd Edition):

    MTU: Maximum Transmission Unit.

    I have no idea where the MSS people got "transfer" from.

    --
    Janie took my gun...
  3. Speaking of "broken".... by wowbagger · · Score: 5, Interesting

    The PDF of the paper refuses to render with any Ghostscript derived viewer.

    It sure would be nice if those who wish to cast stones would make sure their own position is clean.

    That said, I've had to ding webmasters about having their routers set up to block packets with explicit congestion notify set - that is now an accepted part of TCP/IP, and failing to accept packets with ECN set is a violation of the standard.

    --
    www.eFax.com are spammers
  4. education is not a solution by jilles · · Score: 5, Insightful

    This problem is way to technical to explain to most sysadmins. Expecting them to fix it after a kind notification seems naive at best. Instead focus on firewall product manufacturers. In many cases sysadmins just use some sort of generated rules from some firewall product or duplicate sections of howto's. if you make sure the generated stuff is ok and the howto's & manuals don't misinform the sysadmins, there's a lot to gain.

    --

    Jilles
    1. Re:education is not a solution by Mark+Bainter · · Score: 3, Interesting
      You aren't very specific here. If you're talking about people who are Microsoft Admins (which imo don't qualify for the term "sysadmin" in large part) then maybe. Even then you're only talking about a segment of the group...arguably a large one, but still a segment. There are still some MS admins with a clue.

      If you're talking about (real|unix) sysadmins then I think you're probably way off base. Or at least I certainly hope so. If you're right, then we've had some serious degeneration going on. I've got a rather cynical view as it is considering the number of clueless people I run into even on the unix side but the majority I meet still do know what the hell they're talking about. And few if any would just use some pre-defined firewall ruleset, and even fewer would be unable to understand a request of this nature.

      --
      "No nation could preserve its freedom in the midst of continual warfare."
      --James Madison
  5. Thank You by w1r3sp33d · · Score: 5, Interesting

    MTU has turned into the bane of my existence, between atm header problems, VPN's which can't have their packets fragmented without blowing up their crc's, and voice and video apps over low speed links adjusting the MTU down isn't an option anymore, many times it is required. Maybe a site here or there won't display, but usually its downloads that die, like a norton update for example. If I reset the mtu back to 1500 then the vpn's drop and voice develops jitter or drops (using a vovpn as an example)but everyone can download their updates (and of course more importantly their mp3's.) My point is that allowing your ftp server to service a packet at 750 won't kill you or your server. How much overhead do you add by sending two packets at 750 over one at 1500 and how much bandwidth will you save? Until this problem completely disappears I will keep a copy of DR. TCP on my laptops, I believe you can free copies of it from Cisco (might need to be registered)

    1. Re:Thank You by gmack · · Score: 3, Informative

      That's not the reason why they do it. It['s usually a side affect of doing a generic block on ICMP at the firewall. The generic block seems logical to your average clueless sysadmin since now the local network is harder to flood with ICMP Pings or used to bounce them. Unfortunatly people keep forgetting that ICMP is more than just PING and TRACEROUTE.

  6. Fixed PDF (mirror) here: by Jacco+de+Leeuw · · Score: 3, Informative

    The PDF on this mirror seems to work.

    --
    -------
    Warning: Slashdot may contain traces of nuts.
  7. Its a good start by anticypher · · Score: 5, Informative

    There needs to be more awareness in the internet world about not breaking some of the underlying technologies. What the authors are talking about is sites with fuckheaded admins who blindly block all ICMP traffic with their firewalls.

    Path Maximum Transmission Unit Discovery, ICMP type 3 code 4, is sent to an IP stack telling it to send smaller IP packets so the packets don't get fragmented along the way. When nearly 75% of broadband users in Europe are forced to use PPPOE, they count on a working PMTUD message making things work.

    There is a workaround, called MSS clamping, built into Roaring Penguin PPPOE (great software, guys!) which tweaks the TCP stack for web traffic. Unfortunately, it breaks all kinds of other traffic which doesn't expect the MSS to change.

    So this paper is a good start to informing network admins there is no security risk in allowing some types of ICMP traffic. MSS clamping and PMTUD problems were a main topic of coffee break discussions at the last RIPE meeting. Now it remains to convince the firewall manufacturers to change their defaults so that they aren't breaking more and more of the internet. Adding this information to Firewall-HOWTOs would also be a good idea.

    the AC

    --
    Hemos is like...sci-fi fans;he thinks technology is cool, but he hasn't bothered to understand the science it's based on
  8. Re:Better yet get rid of PPOE by jdh28 · · Score: 5, Informative

    I agree that PPPoE (note the 3 P's) is not the most elegant solution, but it is perfectly valid to have smaller MTUs. It is peoples' firewalls that are broken here.

    john

  9. Solution for Linux 2.4/IPFilter by 51c4r1u5 · · Score: 4, Informative

    Assuming you use your linux machine as a router there is a solution. Using a recent distro/kernel there should be an ipt_TCPMSS module available. Running iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss -to-pmtu "does the trick" of adjusting packet sizes. Sites like CERT, SecurityFocus or GMX.de are accessible then.

    Further readings here and here.

  10. Re:Don't see a problem by Nonac · · Score: 3, Informative

    It probably works for you because your machine is probably configured with a maxmtu setting of less than 1492. The problem comes when you are using path mtu discovery, not a defined maxmtu.

  11. Re:Better yet get rid of PPOE by Ektanoor · · Score: 3, Interesting

    And what do you offer in exchange? Raw Ethernet? Sorry but that's overbastardization for some tasks. You ignore that virtual networks, private networks and several security tasks need such things as PPOE, VPN, PPTP and alikes. However there is a price to pay. In the case of PPOE it is a logical price as you need to low the MTU of the inner package so that the whole thing fits into a classical 1500 byte data envelope and the host will not break his head with oversized datapacks. If no one gets the idea why this should be done, then it is him who's the idiot and not the protocol. And if one doesn't get the idea why such kind of protocols exist than better RTFM a little before calling others idiots. A lot of my colleagues use virtual networks for tons of tasks as solving things in a single raw physical basis is becoming near to impossible today. It is becoming overexpensive and risks are getting bigger and bigger.

  12. Already known for some time ... by MaoTse · · Score: 4, Informative

    Just noticed this in the netfilter section of linux config file:

    CONFIG_IP_NF_TARGET_TCPMSS
    [snip]

    This is used to overcome criminally braindead ISPs or servers which block ICMP Fragmentation Needed packets. The symptoms of this problem are that everything works fine from your Linux firewall/router, but machines behind it can never exchange large packets:
    1) Web browsers connect, then hang with no data received.
    2) Small mail works fine, but large emails hang.
    3) ssh works fine, but scp hangs after initial handshaking.

    Don't know about you but myself I can't remember actually using this nf option...
    Maybe the reason is I always let the ICMP packets go ;-)

    Any thoughts about those other dangers of blocking ICMP3,4 ?

  13. Slightly OT: how to configure your MTU by rkent · · Score: 5, Informative

    For PPPoE links this should be set to 1492.

    Sometimes. Sometimes less. I actually ran into this problem with my old DsL connection; I couldn't reach the "My Yahoo" series of sites, of all places. I don't know about a full-blown academic paper on the subject, but here are a couple of references you might find useful if you're on PPPoE and you find sites mysteriously unreachable:

    windows : http://www.winguides.com/registry/display.php/1104 /

    Linux: http://www.linuxnewbie.org/nhf/Modems/Tweaking_You r_Modem_with_MTU_and_MRU.html

    Basically, what you do is ratchet down the MTU until you can see the sites you weren't able to before. It might only need to be reduced to 1492; maybe lower, though.

    These were both near the top of the google list for their respective searches; dozens more are obviously available through the same proceedure.

  14. If you don't use PPPoE by bhsx · · Score: 3, Informative

    If you don't use PPPoE and want to test some of these theories, you can try a "ifconfig eth0 mtu 1400" where eth0 is your network connection.

    --
    put the what in the where?
  15. Re:Can't read pdf by 0x0d0a · · Score: 3, Insightful

    Got the latest M$ XP Pro, and Adobe...

    I wish people wouldn't do this. You don't "have Adobe" any more than you "have the Internet" or something similar.

    I'd guess from the context that you're talking about Acrobat Reader. Unfortunately, people also use the term "I've got Adobe" to refer to Photoshop.

    Granted, the origin of all this was companies, not consumers, with people like Microsoft and Netscape putting their company names into their product name, but it's confusing, and it's consumers that are keeping it going.

    --
    May we never see th
  16. Re:People who violate the rules of RFCs are JERKS by 0x0d0a · · Score: 4, Interesting

    I think the arrogant jerks that violate the rules of internet RFCs should be outed or blacklisted.

    Okay, maybe my feelings are a little less strong, but I feel frusteration about this as well. However...

    Boo to arrogant linux-bsd-oriented self appointed security experts.

    What in God's name does this have to do with Linux or BSD? If anything, I find overzealous network admins to be more frequently Windows-oriented (let's block random attachments because they might contain executables that are easy to execute with our company's default mailer!).

    Actually, I'd like to see more network admins handle ECN. It's been around in Linux for a while now, and it helps everyone, and network admins are doing jack and shit about it.

    What we need is MS to put out a new OS with ECN support so that network admins fix their routers/firewalls.

    --
    May we never see th