[c-nsp] TCP MSS CLAMPING issue

james list jameslist72 at gmail.com
Sun Jan 23 12:31:40 EST 2022

Hi Gert
thanks for the feedback.

Firewall vendor reports this:

" When
SYN Cookies
 is activated, the firewall does not honor the TCP options that the server
sends because it does not know these values at the time that it proxies the
SYN/ACK. Therefore, values such as the TCP server’s window size and MSS
values cannot be negotiated during the TCP handshake and the firewall will
use its own default values. In the scenario where the MSS of the path to
the server is smaller than the firewall’s default MSS value, the packet
will need to be fragmented.  "

Here we see the client seems not RFC compliant, since in RFC6691 (
https://datatracker.ietf.org/doc/html/rfc6691#appendix-A) is written:

"If an MSS option is not received at connection setup, TCP MUST  assume a
default send MSS of 536 (576-40) [TCP:4]."

As recap:

1) during no attack client send MSS 1460 with DF=1, server respond through
MSS 1436 (due to GRE), client uses 1436, connection is established
correctly with TLS exchange
2) during attack client send MSS 1460 with DF = 1, server (=firewall in
this phase due to syn-challenge) respond without MSS, client uses 1460, TLS
exchange is broken

>From my point of view, since RFC6691 state "MUST use 536", the customer is
not compliant.

What do you think ?


Il giorno dom 23 gen 2022 alle ore 17:40 Gert Doering <gert at greenie.muc.de>
ha scritto:

> Hi,
> On Sun, Jan 23, 2022 at 05:10:42PM +0100, james list wrote:
> > I suspect the current Cisco implementation does not change MSS because
> the
> > syn-ack does not contain the MSS option.
> If there is no MSS option, nothing can be adjusted - one would need extra
> code to *add* such an option, which is more complex than "change one
> number and adjust the checksum".
> So, get your firewall vendor to fix their SYN-ACK-spoofing code.
> gert
> --
> "If was one thing all people took for granted, was conviction that if you
>  feed honest figures into a computer, honest figures come out. Never
> doubted
>  it myself till I met a computer with a sense of humor."
>                              Robert A. Heinlein, The Moon is a Harsh
> Mistress
> Gert Doering - Munich, Germany
> gert at greenie.muc.de

More information about the cisco-nsp mailing list