[prev in list] [next in list] [prev in thread] [next in thread]
List: netbsd-tech-net
Subject: Re: ssh's "bad packet length" vs. SACK and IPsec
From: yamt () mwd ! biglobe ! ne ! jp (YAMAMOTO Takashi)
Date: 2008-03-08 10:24:35
Message-ID: 20080308102435.6DEB711702 () yamt ! dyndns ! org
[Download RAW message or body]
> While those two patches makes the whole thing happy, I think we should
> re-visit the path MTU discovery code to be more efficient. In the case
> of blackholes for instance, we should make use of icmp_mtudisc's clever
> table. And I still think we should act on ICMP Need Fragment messages
> immediately.
there are some reasons not to act on icmp messages immediately.
http://www.gont.com.ar/drafts/icmp-attacks-against-tcp.html
> I'd appreciate if someone with TCP and possibly SACK knowledge would
> confirm my analysis and the correctness of the patch I suggest.
> Otherwise I'll commit sometime later...
although i don't claim that i'm an expert of these area,
these analysis and patches seem correct to me.
YAMAMOTO Takashi
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic