• Hannes Frederic Sowa's avatar
    ipv4: introduce new IP_MTU_DISCOVER mode IP_PMTUDISC_INTERFACE · 482fc609
    Hannes Frederic Sowa authored
    Sockets marked with IP_PMTUDISC_INTERFACE won't do path mtu discovery,
    their sockets won't accept and install new path mtu information and they
    will always use the interface mtu for outgoing packets. It is guaranteed
    that the packet is not fragmented locally. But we won't set the DF-Flag
    on the outgoing frames.
    
    Florian Weimer had the idea to use this flag to ensure DNS servers are
    never generating outgoing fragments. They may well be fragmented on the
    path, but the server never stores or usees path mtu values, which could
    well be forged in an attack.
    
    (The root of the problem with path MTU discovery is that there is
    no reliable way to authenticate ICMP Fragmentation Needed But DF Set
    messages because they are sent from intermediate routers with their
    source addresses, and the IMCP payload will not always contain sufficient
    information to identify a flow.)
    
    Recent research in the DNS community showed that it is possible to
    implement an attack where DNS cache poisoning is feasible by spoofing
    fragments. This work was done by Amir Herzberg and Haya Shulman:
    <https://sites.google.com/site/hayashulman/files/fragmentation-poisoning.pdf>
    
    This issue was previously discussed among the DNS community, e.g.
    <http://www.ietf.org/mail-archive/web/dnsext/current/msg01204.html>,
    without leading to fixes.
    
    This patch depends on the patch "ipv4: fix DO and PROBE pmtu mode
    regarding local fragmentation with UFO/CORK" for the enforcement of the
    non-fragmentable checks. If other users than ip_append_page/data should
    use this semantic too, we have to add a new flag to IPCB(skb)->flags to
    suppress local fragmentation and check for this in ip_finish_output.
    
    Many thanks to Florian Weimer for the idea and feedback while implementing
    this patch.
    
    Cc: David S. Miller <davem@davemloft.net>
    Suggested-by: default avatarFlorian Weimer <fweimer@redhat.com>
    Signed-off-by: default avatarHannes Frederic Sowa <hannes@stressinduktion.org>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    482fc609
ip_sockglue.c 31.8 KB