Slashdot Mirror

← Back to Stories (view on slashdot.org)

MSS Initiative Makes Progress

Posted by ryuzaki0 on from the doctor-heal-theyself dept.

Phil writes "The MSS Initiative was started by Richard van den Berg and myself to combat sites that are broken (enable Path MTU Discovery AND block ICMP 3,4) which include such big sites as SecurityFocus and CERT (causing those behind PPPoE and other less-than-1500-MTU-protocols to be unable to view the sites). This past week we were priveleged enough to be able to present a paper at the 16th LISA Systems Administration Conference! Check out the paper and slides and be sure, like many members of the audience, to fix the sites you administer!"

10 of 114 comments (clear)

  1. Definitions:yeah I had no clue what MSS was either by Anonymous Coward · · Score: 5, Informative

    MTU: Maximum Transfer Unit.
    This is the maximum number of bytes that your computer will send out in a packet. This should be set according to what your connection can handle. For ethernet this should be set to 1500. For PPPoE links this should be set to 1492.

    MSS: Maximum Segment Size.
    This is used in negotiating what the MTU of a connection between two hosts will be. Essentially this is saying "please don't send me packets bigger than X." This should typically be set to 40 less than your MTU to allow room for headers.

  2. Speaking of "broken".... by wowbagger · · Score: 5, Interesting

    The PDF of the paper refuses to render with any Ghostscript derived viewer.

    It sure would be nice if those who wish to cast stones would make sure their own position is clean.

    That said, I've had to ding webmasters about having their routers set up to block packets with explicit congestion notify set - that is now an accepted part of TCP/IP, and failing to accept packets with ECN set is a violation of the standard.

    --
    www.eFax.com are spammers
  3. education is not a solution by jilles · · Score: 5, Insightful

    This problem is way to technical to explain to most sysadmins. Expecting them to fix it after a kind notification seems naive at best. Instead focus on firewall product manufacturers. In many cases sysadmins just use some sort of generated rules from some firewall product or duplicate sections of howto's. if you make sure the generated stuff is ok and the howto's & manuals don't misinform the sysadmins, there's a lot to gain.

    --

    Jilles
  4. Thank You by w1r3sp33d · · Score: 5, Interesting

    MTU has turned into the bane of my existence, between atm header problems, VPN's which can't have their packets fragmented without blowing up their crc's, and voice and video apps over low speed links adjusting the MTU down isn't an option anymore, many times it is required. Maybe a site here or there won't display, but usually its downloads that die, like a norton update for example. If I reset the mtu back to 1500 then the vpn's drop and voice develops jitter or drops (using a vovpn as an example)but everyone can download their updates (and of course more importantly their mp3's.) My point is that allowing your ftp server to service a packet at 750 won't kill you or your server. How much overhead do you add by sending two packets at 750 over one at 1500 and how much bandwidth will you save? Until this problem completely disappears I will keep a copy of DR. TCP on my laptops, I believe you can free copies of it from Cisco (might need to be registered)

  5. Its a good start by anticypher · · Score: 5, Informative

    There needs to be more awareness in the internet world about not breaking some of the underlying technologies. What the authors are talking about is sites with fuckheaded admins who blindly block all ICMP traffic with their firewalls.

    Path Maximum Transmission Unit Discovery, ICMP type 3 code 4, is sent to an IP stack telling it to send smaller IP packets so the packets don't get fragmented along the way. When nearly 75% of broadband users in Europe are forced to use PPPOE, they count on a working PMTUD message making things work.

    There is a workaround, called MSS clamping, built into Roaring Penguin PPPOE (great software, guys!) which tweaks the TCP stack for web traffic. Unfortunately, it breaks all kinds of other traffic which doesn't expect the MSS to change.

    So this paper is a good start to informing network admins there is no security risk in allowing some types of ICMP traffic. MSS clamping and PMTUD problems were a main topic of coffee break discussions at the last RIPE meeting. Now it remains to convince the firewall manufacturers to change their defaults so that they aren't breaking more and more of the internet. Adding this information to Firewall-HOWTOs would also be a good idea.

    the AC

    --
    Hemos is like...sci-fi fans;he thinks technology is cool, but he hasn't bothered to understand the science it's based on
  6. Re:Better yet get rid of PPOE by jdh28 · · Score: 5, Informative

    I agree that PPPoE (note the 3 P's) is not the most elegant solution, but it is perfectly valid to have smaller MTUs. It is peoples' firewalls that are broken here.

    john

  7. Solution for Linux 2.4/IPFilter by 51c4r1u5 · · Score: 4, Informative

    Assuming you use your linux machine as a router there is a solution. Using a recent distro/kernel there should be an ipt_TCPMSS module available. Running iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss -to-pmtu "does the trick" of adjusting packet sizes. Sites like CERT, SecurityFocus or GMX.de are accessible then.

    Further readings here and here.

  8. Already known for some time ... by MaoTse · · Score: 4, Informative

    Just noticed this in the netfilter section of linux config file:

    CONFIG_IP_NF_TARGET_TCPMSS
    [snip]

    This is used to overcome criminally braindead ISPs or servers which block ICMP Fragmentation Needed packets. The symptoms of this problem are that everything works fine from your Linux firewall/router, but machines behind it can never exchange large packets:
    1) Web browsers connect, then hang with no data received.
    2) Small mail works fine, but large emails hang.
    3) ssh works fine, but scp hangs after initial handshaking.

    Don't know about you but myself I can't remember actually using this nf option...
    Maybe the reason is I always let the ICMP packets go ;-)

    Any thoughts about those other dangers of blocking ICMP3,4 ?

  9. Slightly OT: how to configure your MTU by rkent · · Score: 5, Informative

    For PPPoE links this should be set to 1492.

    Sometimes. Sometimes less. I actually ran into this problem with my old DsL connection; I couldn't reach the "My Yahoo" series of sites, of all places. I don't know about a full-blown academic paper on the subject, but here are a couple of references you might find useful if you're on PPPoE and you find sites mysteriously unreachable:

    windows : http://www.winguides.com/registry/display.php/1104 /

    Linux: http://www.linuxnewbie.org/nhf/Modems/Tweaking_You r_Modem_with_MTU_and_MRU.html

    Basically, what you do is ratchet down the MTU until you can see the sites you weren't able to before. It might only need to be reduced to 1492; maybe lower, though.

    These were both near the top of the google list for their respective searches; dozens more are obviously available through the same proceedure.

  10. Re:People who violate the rules of RFCs are JERKS by 0x0d0a · · Score: 4, Interesting

    I think the arrogant jerks that violate the rules of internet RFCs should be outed or blacklisted.

    Okay, maybe my feelings are a little less strong, but I feel frusteration about this as well. However...

    Boo to arrogant linux-bsd-oriented self appointed security experts.

    What in God's name does this have to do with Linux or BSD? If anything, I find overzealous network admins to be more frequently Windows-oriented (let's block random attachments because they might contain executables that are easy to execute with our company's default mailer!).

    Actually, I'd like to see more network admins handle ECN. It's been around in Linux for a while now, and it helps everyone, and network admins are doing jack and shit about it.

    What we need is MS to put out a new OS with ECN support so that network admins fix their routers/firewalls.

    --
    May we never see th