Netdev List
 help / color / mirror / Atom feed
From: Hannes Frederic Sowa <hannes@stressinduktion.org>
To: Florian Westphal <fw@strlen.de>
Cc: John Heffner <johnwheffner@gmail.com>,
	David Miller <davem@davemloft.net>,
	Netdev <netdev@vger.kernel.org>,
	Eric Dumazet <eric.dumazet@gmail.com>,
	steffen.klassert@secunet.com, fweimer@redhat.com
Subject: Re: [PATCH net-next v4 0/3] path mtu hardening patches
Date: Tue, 14 Jan 2014 00:18:43 +0100	[thread overview]
Message-ID: <20140113231843.GN6586@order.stressinduktion.org> (raw)
In-Reply-To: <20140113224835.GA28205@breakpoint.cc>

On Mon, Jan 13, 2014 at 11:48:35PM +0100, Florian Westphal wrote:
> Hannes Frederic Sowa <hannes@stressinduktion.org> wrote:
> > On Mon, Jan 13, 2014 at 11:03:56PM +0100, Hannes Frederic Sowa wrote:
> > > I really don't like to depend on firewalling to do that. Especially on
> > > big routers one can use the routing table to protect interfaces for
> > > management and thus don't need to introduce stateful firewalling to
> > > realize a secure router setup which could cause performance degradation,
> > > especially with lots of small and shortlived flows (e.g. UDP/DNS).
> > 
> > This may get better if maybe some work is put into bringing this patch
> > forward: http://comments.gmane.org/gmane.linux.network/268758
> 
> Jesper Brouer is working on this.

Cool!

> But, why do you even need stateful firewalling for filtering?
> Isn't -m socket enough?
>
> [ sorry if you already explained, might have missed it when search
> archive ]

That would solve the tests I actually did, because the module doesn't let
ICMP packets with ICMP packet payload through (maybe this could
be bad for people using ping to debug pmtu problems on routers. this is
a bit far fetched, but I actually did ;) )

Myself, I don't trust socket lookup on unconnected UDP sockets any more as
you only need to spray such pMTU packets in a limited port range against
a box. Given that many routers currently also provide DNS services on
a random but outgoing port or are equipped with a whole bunch of services.

As soon as you have tunnels on a router, this wouldn't work either,
because you have to accept pmtu information on a non-socket in this case,
also ipsec.

I guess there are more special cases.

I think it is possible to come up with an iptables setup which is suitable
to protect a system in a special constellation. But, IMHO, it is better
to strictly follow the RFC and don't use path mtu in forwarding.

Greetings,

  Hannes

  reply	other threads:[~2014-01-13 23:18 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-01-09  9:01 [PATCH net-next v4 0/3] path mtu hardening patches hannes
2014-01-09  9:01 ` [PATCH net-next v4 1/3] ipv4: introduce ip_dst_mtu_maybe_forward and protect forwarding path against pmtu spoofing hannes
2014-01-09  9:01 ` [PATCH net-next v3 2/3] ipv6: introduce ip6_dst_mtu_forward and protect forwarding path with it hannes
2014-01-09  9:01 ` [PATCH net-next v2 3/3] ipv4: introduce hardened ip_no_pmtu_disc mode hannes
2014-01-13 19:25 ` [PATCH net-next v4 0/3] path mtu hardening patches David Miller
2014-01-13 19:35   ` John Heffner
2014-01-13 20:42     ` Hannes Frederic Sowa
2014-01-13 21:08       ` John Heffner
2014-01-13 21:28         ` Hannes Frederic Sowa
2014-01-13 21:50           ` John Heffner
2014-01-13 22:03             ` Hannes Frederic Sowa
2014-01-13 22:15               ` Hannes Frederic Sowa
2014-01-13 22:48                 ` Florian Westphal
2014-01-13 23:18                   ` Hannes Frederic Sowa [this message]
2014-01-13 22:12             ` David Miller

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20140113231843.GN6586@order.stressinduktion.org \
    --to=hannes@stressinduktion.org \
    --cc=davem@davemloft.net \
    --cc=eric.dumazet@gmail.com \
    --cc=fw@strlen.de \
    --cc=fweimer@redhat.com \
    --cc=johnwheffner@gmail.com \
    --cc=netdev@vger.kernel.org \
    --cc=steffen.klassert@secunet.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox