[prev in list] [next in list] [prev in thread] [next in thread] 

List:       netbsd-tech-net
Subject:    Re: ssh's "bad packet length" vs. SACK and IPsec
From:       yamt () mwd ! biglobe ! ne ! jp (YAMAMOTO Takashi)
Date:       2008-03-08 10:24:35
Message-ID: 20080308102435.6DEB711702 () yamt ! dyndns ! org
[Download RAW message or body]

> While those two patches makes the whole thing happy, I think we should
> re-visit the path MTU discovery code to be more efficient.  In the case
> of blackholes for instance, we should make use of icmp_mtudisc's clever
> table.  And I still think we should act on ICMP Need Fragment messages
> immediately.

there are some reasons not to act on icmp messages immediately.
http://www.gont.com.ar/drafts/icmp-attacks-against-tcp.html

> I'd appreciate if someone with TCP and possibly SACK knowledge would
> confirm my analysis and the correctness of the patch I suggest.
> Otherwise I'll commit sometime later...

although i don't claim that i'm an expert of these area,
these analysis and patches seem correct to me.

YAMAMOTO Takashi
[prev in list] [next in list] [prev in thread] [next in thread]