[c-nsp] TCP MSS CLAMPING issue
Gert Doering
gert at greenie.muc.de
Sun Jan 23 11:40:35 EST 2022
Hi,
On Sun, Jan 23, 2022 at 05:10:42PM +0100, james list wrote:
> I suspect the current Cisco implementation does not change MSS because the
> syn-ack does not contain the MSS option.
If there is no MSS option, nothing can be adjusted - one would need extra
code to *add* such an option, which is more complex than "change one
number and adjust the checksum".
So, get your firewall vendor to fix their SYN-ACK-spoofing code.
gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany gert at greenie.muc.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 630 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20220123/b5817da5/attachment.sig>
More information about the cisco-nsp
mailing list