Re: Linux 2.4.27 SECURITY BUG - TCP Local and REMOTE(verified) Denial of Service Attack

[Florian Weimer]

* David S. Miller:

> On Tue, 21 Sep 2004 20:32:12 +0200
> Florian Weimer <fw@xxxxxxxxxxxxx> wrote:
>
>> > But then you get PMTU problems...
>> 
>> PMTU discovery is not an issue because it's turned off anyway, at
>> least by default.
>
> It's on by default, for both TCP and UDP in the kernel,
> and has been so for a long time.

Linux is not the reference TCP/IP stack for routers. 8-)

> Why would it be off by default?

Probably because PMTUD is just a DRAFT STANDARD, and these router
folks are usually extremely conservative.  Switching the default is
dangerous because it's likely to break existing setups, as Herbert
noted.

> If you disable PMTU discovery, say goodbye to TCP performance.

Indeed.  On those platforms, the CPU impact is also significant, and
the overall increase in BGP convergence time is measurable.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/