[nsp] Path MTU discovery
Daniel Roesen
dr at cluenet.de
Thu Apr 29 11:07:09 EDT 2004
On Mon, Apr 19, 2004 at 11:10:04PM +0930, Glen Turner wrote:
> > I would think twice about enabling it though, because it makes your
> > BGP and LDP sessions vulnerable to ICMP frag-need-but-TTL-exceeded
> > attacks, where MD5 authentication doesn't help at all.
>
> What's the practical effect of such an attack? It is just
> burning cycles as the attacker walks the pMTU down by
> one until the MTU reaches 536? And then the effect of
> the smaller MTU?
The MTU can go as low as 68. See RFC1191. I didn't do the math,
but you'll get into trouble getting BGP UPDATEs thru then.
> For single-hop eBGP, why is the operating system acting on
> an ICMP frag-need-but-TTL-exceeded from the connected subnet?
Because "doing PMTUD or not" is in all cases I've seen a global switch
for the implementation and not done on a case-by-case basis.
Best regards,
Daniel
More information about the cisco-nsp
mailing list