[c-nsp] PIX/ASA 7.x MSS size checking... useful/useless?
Jeff Kell
jeff-kell at utc.edu
Thu Apr 13 14:45:23 EDT 2006
Another "adjustment pain" in PIX 6.3 => ASA 7.1 conversion hopefully someone else has run across...
7.x TCP inspection checking includes interpretation of the original negotiated MSS size of the connection, and it will bounce any subsequent packets whose data size exceeds the negotiated MSS. Sounds perfectly reasonable.
But it is generating a lot of alerts, dropped packets, and some helpdesk calls for "why can't I get to this website?".
Cisco knows about it, http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps2030/products_tech_note09186a00804c8b9f.shtml (or http://tinyurl.com/qco7n).
The article describes a painfully long process of packet captures to prove to yourself that this is what is happening, then suggests a complicated workaround policy-map to allow MSS to be exceeded. They caution you to carefully enumerate the source in question to minimize your exposure: "the workaround includes the identification of the HTTP client and servers via an access-list" and "it is imperative to configure the access-list with the direction of the SYN in mind...". However, they go on to say "If a more pervasive rule is required, you can replace the access-list statement in this section with an access-list which permits everything".
I'm seeing quite a bit of traffic breaking these rules, typically with negotiated MSS 1380 and data ~1452-1460.
Is the net really this broken? Are there nasty exploits that would be allowed if I make a global exception?
I'm trying to understand this, as opposed to just making it go away :-)
Jeff
More information about the cisco-nsp
mailing list