[18772] in bugtraq
Re: ICMP fragmentation required but DF set problems.
daemon@ATHENA.MIT.EDU (antirez)
Tue Jan 23 20:35:02 2001
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Message-ID: <20010123211521.A2800@palla>
Date: Tue, 23 Jan 2001 21:15:21 +0100
Reply-To: antirez@invece.org
From: antirez <antirez@invece.org>
X-To: Niels Provos <provos@CITI.UMICH.EDU>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20010122231533.8105F207C3@citi.umich.edu>; from
provos@CITI.UMICH.EDU on Mon, Jan 22, 2001 at 06:15:33PM -0500
On Mon, Jan 22, 2001 at 06:15:33PM -0500, Niels Provos wrote:
> IPv6 is another case though. Here you have mandatory PMTU for all
> protocols.
In this case, and even with IPv4 if you want UDP PMTU API and so on,
the only way seems to sign the outgoing packets with an HMAC and
a local key. So you will be able to check if the quoted packet in the
ICMP error was sent by your host.
With IPv4 you can use the ip.id field since it's useless with
the DF bit set, but a 16 bit protection is very weak.
Another way may be to add a bogus IP option, since fully-standard
TCP/IP stacks will ignore the option, that contains the HMAC,
but unfortunatelly all kinds of firewalls will drop this packets.
With IPv6 the clearest way seems a new next-header with the HMAC
that provide the autentication. No key exchange is needed,
you just sign your own packets to recognize it later.
antirez
--
Salvatore Sanfilippo | <antirez@invece.org>
http://www.kyuzz.org/antirez | PGP: finger antirez@tella.alicom.com
