[nsp] Path MTU discovery
Oliver Boehmer (oboehmer)
oboehmer at cisco.com
Mon Apr 19 01:45:17 EDT 2004
> On Sun, Apr 18, 2004 at 02:55:23PM -0400, Robert Boyle wrote:
> > I have use mtu path discovery for years with tunnel interfaces.
> > Is there a global config command or is this simply a BGP specific
> > per peer config option?
>
>
http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/
ip_c/ipcprt1/1cdip.htm#1001846
>
> I would think twice about enabling it though, because it makes your
> BGP and LDP sessions vulnerable to ICMP frag-need-but-TTL-exceeded
> attacks, where MD5 authentication doesn't help at all.
Agreed. But the performance gain achieved by it warrents the effort
protecting your control plane against such and similar attacks.
BTW: Are such attacks seen in the field? As the "attack window" is
pretty short (only a sec or so, while TCP opens the connections and
performs PMTUD), not sure how "attractive" such attacks are.
oli
More information about the cisco-nsp
mailing list