[c-nsp] ios tcp defaults

[Lee]

On 4/22/16, Sebastian Beutel wrote:
> Hi List,
>
>     in some kind of spring-cleaning of our configuration collection, i
> encountered some lines that differ from Ciscos defaults in many of our
> switches. The Cisco default for the lines in question is like this:
>
> no ip tcp selective-ack
> no ip tcp path-mtu-discovery
>
> This makes me wonder because i believe that pmtu discovery and selective
> ack
> are good things. Furthermore, in our heritage config defaults selective-ack
> and path-mtu-discovery are explicitly enabled.
>
> The question i like to ask is therefore: Does anyone know why Cisco chose
> to disable this by default and am i right that it's safe these days to enable
> it?

My attitude is that every feature enabled = another attack surface
enabled.  So the question is how likely is the attack vs. how much
benefit is the feature.

I don't know what attack[s] enabling selective-ack opens up, but
there's probably something.

Enabling path MTU discovery [used to? still does??] open up the
possibility of an attacker dropping the MTU down to 68 bytes.   On the
other hand, if the do not fragment bit is clear (ie. path mtu
discovery off) you're supposed to assume an MTU of 576 bytes for
off-subnet traffic, so maybe something bad will happen vs. guaranteed
performance hit with pmtud disabled.

have a look at
http://www.cisco.com/c/en/us/support/docs/csa/cisco-sa-20050412-icmp.html

All that said, I like having pmtud & selective ack enabled.  Your
security office might have a different opinion.

Regards,
Lee