MSS Initiative Makes Progress 114
Phil writes "The MSS Initiative was started by Richard van den Berg and myself to combat sites that are broken (enable Path MTU Discovery AND block ICMP 3,4) which include such big sites as SecurityFocus and CERT (causing those behind PPPoE and other less-than-1500-MTU-protocols to be unable to view the sites). This past week we were priveleged enough to be able to present a paper at the 16th LISA Systems Administration Conference! Check out the paper and slides and be sure, like many members of the audience, to fix the sites you administer!"
Can't read pdf (Score:1, Offtopic)
Re:Can't read pdf (Score:2)
Re:Can't read pdf (Score:2)
Re:Can't read pdf (Score:3, Insightful)
I wish people wouldn't do this. You don't "have Adobe" any more than you "have the Internet" or something similar.
I'd guess from the context that you're talking about Acrobat Reader. Unfortunately, people also use the term "I've got Adobe" to refer to Photoshop.
Granted, the origin of all this was companies, not consumers, with people like Microsoft and Netscape putting their company names into their product name, but it's confusing, and it's consumers that are keeping it going.
"have Adobe" (Score:2)
I guess that the name of the standards organization should be enough. No need for these pesky numbers.
here's a solution: (Score:1)
You can download ISO images of both Debian GNU/Linux [debian.org] and Mandrake [mandrake.com] at LinuxISO.org [linuxiso.org].
Don't see a problem (Score:2, Funny)
But if he says so, then I won't access them, due to the 'problem'...
Re:Don't see a problem (Score:1, Funny)
I clicked on the CERT.org link and it did work...
I really hope I didn't fix something, I can be so clumsy sometimes...
Re:Don't see a problem (Score:3, Informative)
Definitions:yeah I had no clue what MSS was either (Score:5, Informative)
This is the maximum number of bytes that your computer will send out in a packet. This should be set according to what your connection can handle. For ethernet this should be set to 1500. For PPPoE links this should be set to 1492.
MSS: Maximum Segment Size.
This is used in negotiating what the MTU of a connection between two hosts will be. Essentially this is saying "please don't send me packets bigger than X." This should typically be set to 40 less than your MTU to allow room for headers.
Re:Definitions:yeah I had no clue what MSS was eit (Score:3, Informative)
MTU: Maximum Transmission Unit.
I have no idea where the MSS people got "transfer" from.
Better references... (Score:1, Informative)
And RFC791 where MTU was itself defined (among other things) also says it means "Maximum Transmission Unit."
Slightly OT: how to configure your MTU (Score:5, Informative)
Sometimes. Sometimes less. I actually ran into this problem with my old DsL connection; I couldn't reach the "My Yahoo" series of sites, of all places. I don't know about a full-blown academic paper on the subject, but here are a couple of references you might find useful if you're on PPPoE and you find sites mysteriously unreachable:
windows : http://www.winguides.com/registry/display.php/110
Linux: http://www.linuxnewbie.org/nhf/Modems/Tweaking_Yo
Basically, what you do is ratchet down the MTU until you can see the sites you weren't able to before. It might only need to be reduced to 1492; maybe lower, though.
These were both near the top of the google list for their respective searches; dozens more are obviously available through the same proceedure.
Re:Definitions:yeah I had no clue what MSS was eit (Score:1)
Also explains how this relates to GRE & IPSec tunnels not working.
http://www.cisco.com/en/US/tech/tk648/tk369/techn
Couldn't access either site (Score:1, Funny)
Re:People who violate the rules of RFCs are JERKS (Score:4, Interesting)
Okay, maybe my feelings are a little less strong, but I feel frusteration about this as well. However...
Boo to arrogant linux-bsd-oriented self appointed security experts.
What in God's name does this have to do with Linux or BSD? If anything, I find overzealous network admins to be more frequently Windows-oriented (let's block random attachments because they might contain executables that are easy to execute with our company's default mailer!).
Actually, I'd like to see more network admins handle ECN. It's been around in Linux for a while now, and it helps everyone, and network admins are doing jack and shit about it.
What we need is MS to put out a new OS with ECN support so that network admins fix their routers/firewalls.
Re:People who violate the rules of RFCs are JERKS (Score:2)
You are absolutely right. Everyone using PPPoE should be banned from using the Internet. PPPoE is a _COMPLETELY_ broken protocol. If enough sites refuse to service people using such a cracked protocol, then maybe it will go away. In fact, I am going to go misconfigure the sites that I administer to make sure that they do not work with PPPoE.
I will not let anyone I know use PPPoE. I have advised every single one of them to get cable modems with DHCP instead.
The telephone companies are the only ones pushing PPPoE. Do we really want a bunch of morons who can't run an analog phone network dictate how the Internet operates? Just about everyone in my family has worked for a Telco, and frankly, I would not let any of them near a computer even if my life depended on it.
PPPoe is here and now and growing EVERY DAY, as people lose the ability and right to have static IP or long DHCP leases.
The "right" to have a static IP? I do not even know what that means. As for long DHCP leases, how about this for an idea, short DHCP leases!
PPPoE is a hack and it should die a horrible death. If you want to use the Internet, get a real internet connection or go back to using AOL.
-sirket
Solution for those in CA... (Score:2)
They give out static IP addresses and allow those who know how to do it and can keep their boxen patched the ability to run servers. They even have their own game server too! How cool is that?
Sorry about those in the other 49 states...PPPoE sucks.
Re:People who violate the rules of RFCs are JERKS (Score:2)
Since when was a static IP address a right?
I think that before you could decide that everyone had a right to a static IP address, you should count the people in the world, and the total number of possible IPv4 IP Addresses.
I think it's more like it's everyone's responsibility to not use a static IP unless they really need it, at least until IPv6 is the standard on the net..
Of course, by then, we will have suffered an ice age, been blasted with raidiation from having the magnetic poles disapear, and watched civilization collapse due to the Y10k problem....so static IP addresses probably wont be top on everyone's mind...
Anyone else... (Score:2, Funny)
Speaking of "broken".... (Score:5, Interesting)
It sure would be nice if those who wish to cast stones would make sure their own position is clean.
That said, I've had to ding webmasters about having their routers set up to block packets with explicit congestion notify set - that is now an accepted part of TCP/IP, and failing to accept packets with ECN set is a violation of the standard.
Re:Speaking of "broken".... (Score:1)
Did not try Acrobat Reader standalone yet.
Re:Speaking of "broken".... (Score:2, Informative)
MOD PARENT UP (Score:2)
The paper wouldn't open for me either. I'm running Acrobat 4.0 on Win95 (hey, it's fast, dude). Someone can probably advise him on saving it in compatible mode or something like that.
Re:Speaking of "broken".... (Score:2)
It also refuses to render with Adobe Acrobat Reader 4.0 on NT 4.
And the UseNix site (html version) can not be used without a username and password.
Move along, nothing to see here.
.
education is not a solution (Score:5, Insightful)
Re:education is not a solution (Score:3, Interesting)
If you're talking about (real|unix) sysadmins then I think you're probably way off base. Or at least I certainly hope so. If you're right, then we've had some serious degeneration going on. I've got a rather cynical view as it is considering the number of clueless people I run into even on the unix side but the majority I meet still do know what the hell they're talking about. And few if any would just use some pre-defined firewall ruleset, and even fewer would be unable to understand a request of this nature.
Re:education is not a solution (Score:2)
Real UNIX sysadmins are expensive and rare. You should see the monkeys that maintain our local network. If I want a virtual server added to our apache server it is more efficient for me to look up the documentation and take our sysadmin by the hand to guide him through the process (this actually happened). Most organizations have shitty sysadmins. Luckily ours never tried their hands on a firewall (that means security sucks by default and there are no restrictions on network usage
Thank You (Score:5, Interesting)
Re:Thank You (Score:3, Informative)
LISA (Score:2)
Anybody know what LISA stands for ?
Re:LISA (Score:2)
Better yet get rid of PPOE (Score:2, Flamebait)
Re:Better yet get rid of PPOE (Score:5, Informative)
I agree that PPPoE (note the 3 P's) is not the most elegant solution, but it is perfectly valid to have smaller MTUs. It is peoples' firewalls that are broken here.
john
Re:Better yet get rid of PPOE (Score:1, Insightful)
It is PPPoE reliance (not use) on path discovery that is causing the issue here.
It's not surprising that security sites are blocking ICMP 3,4. Allowing it potentially allows a DoS attack to be attempted with relatively low bandwidth. (Set MTU to minimum, send large amount of traffic, packet overhead increases).
If you need that functionality in your own network, go for it. But I don't see why other should make themselves more vulnerable just because a minority are having trouble when everyone else is fine. (BTW that 70% figure sounds impressive, but keep in mind the low percentage of broadband users)
Re:Better yet get rid of PPOE - not! (Score:1, Informative)
Allowing ICMP 3,4 at your firewall does not make your site more vulnerable if have enough knowledge to do it right. See http://www.cisco.com/warp/public/63/car_rate_limi
Re:Better yet get rid of PPOE (Score:3, Interesting)
Re:Better yet get rid of PPOE (Score:1, Insightful)
PMTUD was made long before PPPoE, and is an integrated part of the IP protocol.
Re:Better yet get rid of PPOE (Score:2)
Like if you had the choice of avoiding PPPoE.
Re:Better yet get rid of PPOE (Score:2, Informative)
The PPPoE software (client AND server side) is terrible for the most part, and it took YEARS to get them even as stable as their are now.
For a broadband connection, it's horrible. Originally, everyone used DHCP to assign you the necessary info, but now it's all done through PPP. It's just like dial-up again, even the connection procedures! Add to that the fact that most ISPs use dynamic IP addressing and you'll get a new IP *every* time you connect (not so bad in itself, but coupled with the frequent disconnections, see terrible software above..) It's a nightmare for the end user.
Protocols are supposed to be TRANSPARENT to the end user. PPPoE is anything but. There's a reason there's a ton of support sites to help people with it's bizarre configuration. It's a failure.
Re:Better yet get rid of PPOE (Score:1)
You obviously don't have to manage an ISP.. PPPoE allows a much greater control than PVC based, with:
-session accounting
-flexible user login control (radius, realms and so on)
You don't need to reconfig a router manually for each customer, play with MAC addresses etc.
By the way, most PPPoE have an MTU set for 1492. But since most ISPs are using a telco platform and the sessions are forwarded over L2TP to their router, there's another 40 bytes to remove from the 1492.. The ideal MTU now being 1452 for PPPoE customers. If all clients had this set, nobody would have heard of MTU/MSS at all
Could someone explain what this is about? (Score:2)
Re:Strange (Score:2)
Fixed PDF (mirror) here: (Score:3, Informative)
Mirror for slides (Score:2)
Open Office format! (Score:1)
sure would love to see more of this in the real world.
Its a good start (Score:5, Informative)
Path Maximum Transmission Unit Discovery, ICMP type 3 code 4, is sent to an IP stack telling it to send smaller IP packets so the packets don't get fragmented along the way. When nearly 75% of broadband users in Europe are forced to use PPPOE, they count on a working PMTUD message making things work.
There is a workaround, called MSS clamping, built into Roaring Penguin PPPOE (great software, guys!) which tweaks the TCP stack for web traffic. Unfortunately, it breaks all kinds of other traffic which doesn't expect the MSS to change.
So this paper is a good start to informing network admins there is no security risk in allowing some types of ICMP traffic. MSS clamping and PMTUD problems were a main topic of coffee break discussions at the last RIPE meeting. Now it remains to convince the firewall manufacturers to change their defaults so that they aren't breaking more and more of the internet. Adding this information to Firewall-HOWTOs would also be a good idea.
the AC
"Over-zelous"? Grumble grumble... (Score:2)
Also, the PDF [earthlink.net] seems to be broken. It won't display on my system. (Anyone else have that problem?)
Overall, pretty impressive.
The version on the USENIX [usenix.org] site seems at least to have the correct spelling in the title, but you need a password to download the PDF there.
more on MTU's (Score:2)
Solution for Linux 2.4/IPFilter (Score:4, Informative)
Assuming you use your linux machine as a router there is a solution. Using a recent distro/kernel there should be an ipt_TCPMSS module available. Running iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss -to-pmtu "does the trick" of adjusting packet sizes. Sites like CERT, SecurityFocus or GMX.de are accessible then.
Further readings here [lartc.org] and here [hgfelger.de].
PPPoE and D-Link/Linksys 'routers' (Score:1)
So, my question would be, did anyone else have these problems? Is it maybe related, or just a bad PPPoE setup in those 'routers'?
On another related note, I replaced the D-Link with an OpenBSD firewall, and haven't looked back... performance increase was moderate, and control I have over it is just great... Will never try to get out easy on a firewall/NAT thing again, just do it right the first time:)
Re:PPPoE and D-Link/Linksys 'routers' (Score:1)
Re:PPPoE and D-Link/Linksys 'routers' (Score:1)
Well, hehe:) I already do that stuff for work:) Did learn a bit about OpenBSD, though(had mostly stuck with Solaris and Linux before that) It was just a matter of not wanting to do any more work-related things at home, and taking the cheap/easy way out, and getting the little d-link.
I have actually heard reports of similar problems from other people, but I'm guessing it was the firmware on the router. A co-worker had trouble with a linksys getting slower and slower, as well... Quite likely it's a problem with Ameriwreck DSL/d-link/linksys routers, was just wondering if anyone else had had anything similar, or a solution to it. At the time(about two months ago, I was using the latest firmware, and it actually fixed a few problems from the previous one, but not all of them...)
Re:PPPoE and D-Link/Linksys 'routers' (Score:1)
Re:PPPoE and D-Link/Linksys 'routers' (Score:1)
Already known for some time ... (Score:4, Informative)
Just noticed this in the netfilter section of linux config file:
Don't know about you but myself I can't remember actually using this nf option... ;-)
Maybe the reason is I always let the ICMP packets go
Any thoughts about those other dangers of blocking ICMP3,4 ?
Re:Already known for some time ... (Score:1)
deny icmp any any
permit icmp any any ttl-exceeded
permit icmp any any parameter-problem
permit icmp any any host-unreachable
permit icmp any any port-unreachable
permit icmp any any packet-too-big
permit icmp any any host-unknown
I think I was able to get everything that's "harmless". That's only on the ingress by the way. All applied to Serial0/0
Re:Already known for some time ... (Score:1)
permit icmp any any ttl-exceeded
permit icmp any any parameter-problem
permit icmp any any host-unreachable
permit icmp any any port-unreachable
permit icmp any any packet-too-big
permit icmp any any host-unknown
This would allow the above and block all else (probably bad, since your data wouldn't get through).
permit icmp any any ttl-exceeded
permit icmp any any parameter-problem
permit icmp any any host-unreachable
permit icmp any any port-unreachable
permit icmp any any packet-too-big
permit icmp any any host-unknown
deny icmp any any
This is probably what you want, but remember there is still an implicit deny any at the end (unless you've got the firewall feature-set which dynamically opens things up as needed).
Most likely you want something like this on a border router:
permit icmp any any ttl-exceeded
permit icmp any any parameter-problem
permit icmp any any host-unreachable
permit icmp any any port-unreachable
permit icmp any any packet-too-big
permit icmp any any host-unknown
deny icmp any any
permit ip any any
Then firewall elsewhere (initial firewalling on your exterior router is ok, but use a dedicated firewall if possible).
Re:Already known for some time ... (Score:1)
And yes there are actually two different firewalls from that point on depending on the which interface of the NM4E you go out on.
Re:Already known for some time ... (Score:2)
I've noticed that some sites began producing that error after switching to Solaris 9 running a particular webserver (on checking netcraft, I learned that my intended example apparently moved away from this combo, so I can't tell you more since I don't recall the webserver's name
Frequent visitor? (Score:2)
The companies they mail must be seriously confused as to what this has to do with their site...
Jokes aside, that "frequent visitor" phrase is nice, and _may_ help getting their message through to the right persons.
But probably not - and it is lying (which is easy to deduce when visiting their site - the url is given in the same mail). Pretending to be a regular visitor may hurt these guys in the long run, even if they do stuff for a good cause... I don't know if they do, I read the explanations and still couldn't figure out if this was something worth bothering about.
Good idea, but.. (Score:2)
A good paper explaining MTU/MSS is on Cisco [cisco.com]. If your ISP can't just 'adjust-mss' on his router, either he will fragment a lot and drop the DF (don't fragment) packets, or you will have to use Dr TCP [cisco.com] to fix the MTU on your side.
If you don't use PPPoE (Score:3, Informative)
Do I trust 5th grade grammer? (Score:2, Funny)
Please help me understand this initiative by not making up words. Yes, I can guess the meaning, but if that's the purpose (i.e. to keep the audience guessing) then why not just post random text? If the goal is to demonstrate you k3wlne55, then post in haCk15h. If the goal is to convey an idea, sway public opinion, convince a group of skeptics, form a consensus, and ultimately, build a coalition, you might want to consider restricting your phraseology to a more mainstream subset of English.
This is only a suggestion.
Paper's missing a reference to the best solution.. (Score:2, Insightful)
mss on yer lovely cisco (Score:1)
ip tcp adjust-mss 1460
Efficient, good-looking PDF (Score:1)
lisa confrence? (Score:1)
Max. size of packets (Score:1)
Re:Max. size of packets (Score:2)
Re:Max. size of packets (Score:1)
Re:Max. size of packets (Score:2)
So THAT's what that was about! (Score:2)
Saw the blurb in the LISA program (it appeared as "Overzealous Security Administrators Are Breaking the Internet" -- sheah, right, let's put six exclamation points on it) but had no idea what it was about until I got to this article.
Score one for
PDF Fixed (Score:1)
Last Post! (Score:1)
mouth again, and sitting down upon a dead mouse.
"What do you keep that mouse for?" I said. "You should either
bury it or else throw it into the brook."
"Why, it's to measure with!" cried Bruno. "How ever would you
do a garden without one? We make each bed three mouses and a half
long, and two mouses wide."
I stopped him as he was dragging it off by the tail to show me
how it was used...
-- Lewis Carroll, "Sylvie and Bruno"
- this post brought to you by the Automated Last Post Generator...