Date: Thu, 19 Jul 2018 08:09:48 -0400 From: Michael Tuexen <Michael.Tuexen@macmic.franken.de> To: Maxim Konovalov <maxim.konovalov@gmail.com> Cc: Randall Stewart <rrs@FreeBSD.org>, src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: Re: svn commit: r336465 - in head/sys/netinet: . tcp_stacks Message-ID: <7FC7DAA2-9B03-4D89-A878-7706EDE4294A@macmic.franken.de> In-Reply-To: <alpine.BSF.2.20.1807191009050.76318@mp2.macomnet.net> References: <201807182249.w6IMns6D076446@repo.freebsd.org> <alpine.BSF.2.20.1807191009050.76318@mp2.macomnet.net>
next in thread | previous in thread | raw e-mail | index | archive | help
> On 19. Jul 2018, at 03:12, Maxim Konovalov <maxim.konovalov@gmail.com> = wrote: >=20 > Hi Randall, >=20 > On Wed, 18 Jul 2018, 22:49-0000, Randall Stewart wrote: >=20 >> Author: rrs >> Date: Wed Jul 18 22:49:53 2018 >> New Revision: 336465 >> URL: https://svnweb.freebsd.org/changeset/base/336465 >>=20 >> Log: >> Bump the ICMP echo limits to match the RFC >>=20 > [...] >=20 > Just wonder, are there any practical reasons to do that? In case you send encapsulated packets triggering an ICMP message you actually need more than the 8 bytes which are currently reflected. The number 8 comes from RFC 792, which was published 1981. The new number comes from RFC 1812, which was published 1995. >=20 > While I don't see any meaningful vectors right now this could > potentially make amplification DoS easier, no? I don't think so. When sending packets smaller than 576 - 20 - 8, you get a byte amplification of 8 bytes. Please note that IPv6 already reflects as much as fits in a single packet. So this is not something completely new... Best regards Michael >=20 > --=20 > Maxim Konovalov >=20
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?7FC7DAA2-9B03-4D89-A878-7706EDE4294A>