[nsp] Path MTU discovery
Glen Turner
glen.turner at aarnet.edu.au
Mon Apr 19 09:40:04 EDT 2004
Daniel Roesen wrote:
> On Sun, Apr 18, 2004 at 02:55:23PM -0400, Robert Boyle wrote:
>
>>I have use mtu path discovery for years with tunnel interfaces.
>>Is there a global config command or is this simply a BGP specific
>>per peer config option?
>
>
> http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/ip_c/ipcprt1/1cdip.htm#1001846
>
> I would think twice about enabling it though, because it makes your
> BGP and LDP sessions vulnerable to ICMP frag-need-but-TTL-exceeded
> attacks, where MD5 authentication doesn't help at all.
What's the practical effect of such an attack? It is just
burning cycles as the attacker walks the pMTU down by
one until the MTU reaches 536? And then the effect of
the smaller MTU?
I assume ACLs on outward-facing interfaces can protect iBGP.
For single-hop eBGP, why is the operating system acting on
an ICMP frag-need-but-TTL-exceeded from the connected subnet?
For TTL=1 IP packets, any incoming ICMP frag-need-but-TTL-exceeded
is bogus, since TTL=1 implies that no forwarding of the packet
is possible, but that ICMP response can only be generated by
forwarders (end-hosts never fragment traffic).
So is the only realistic exposure multihop eBGP?
My apologies if I'm missing something obvious,
Glen
More information about the cisco-nsp
mailing list