[c-nsp] TCP MSS CLAMPING issue

Gert Doering gert at greenie.muc.de
Sun Jan 23 11:40:35 EST 2022


On Sun, Jan 23, 2022 at 05:10:42PM +0100, james list wrote:
> I suspect the current Cisco implementation does not change MSS because the
> syn-ack does not contain the MSS option.

If there is no MSS option, nothing can be adjusted - one would need extra
code to *add* such an option, which is more complex than "change one 
number and adjust the checksum".

So, get your firewall vendor to fix their SYN-ACK-spoofing code.

"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
                             Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany                             gert at greenie.muc.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 630 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20220123/b5817da5/attachment.sig>

More information about the cisco-nsp mailing list