Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Ignore Path MTU Discovery on UDP server socket #7410

Merged
merged 2 commits into from Apr 23, 2019

Conversation

Projects
None yet
2 participants
@rgacogne
Copy link
Member

commented Jan 23, 2019

Short description

It might help prevent Path MTU poisoning attacks.
Untested, don't merge it yet!

Checklist

I have:

  • read the CONTRIBUTING.md document
  • compiled this code
  • tested this code
  • included documentation (including possible behaviour changes)
  • documented the code
  • added or modified regression test(s)
  • added or modified unit test(s)
#endif /* IP_PMTUDISC_OMIT */

/* IP_PMTUDISC_DONT disables Path MTU discovery */
SSetsockopt(sockfd, IPPROTO_IP, IP_MTU_DISCOVER, IP_PMTUDISC_DONT);

This comment has been minimized.

Copy link
@rgacogne

rgacogne Jan 23, 2019

Author Member

We should check that IP_MTUDISC_DONT is defined. Note that unbound sets the don't fragment flag on systems that don't have IP_MTUDISC_DONT: https://github.com/NLnetLabs/unbound/blob/master/services/listen_dnsport.c#L571

This comment has been minimized.

This comment has been minimized.

Copy link
@rgacogne

rgacogne Jan 23, 2019

Author Member

Added the missing check for IP_MTUDISC_DONT. I'm still undecided about setting DF=1.

@rgacogne

This comment has been minimized.

Copy link
Member Author

commented Jan 23, 2019

As a datapoint, Knot decided against doing this: https://gitlab.labs.nic.cz/knot/knot-dns/issues/467

@mnordhoff

This comment has been minimized.

Copy link
Contributor

commented Jan 23, 2019

Knot decided against it in 2016 when fragmentation attacks weren't in vogue, though.

@rgacogne rgacogne force-pushed the rgacogne:pmtu-dont branch from 60ff55c to c3cdd3f Feb 14, 2019

@rgacogne

This comment has been minimized.

Copy link
Member Author

commented Feb 14, 2019

Rebased to fix a conflict.

@rgacogne

This comment has been minimized.

Copy link
Member Author

commented Apr 4, 2019

As pointed out by @hdais NSD did bite the bullet as well recently: https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=4235

rgacogne added some commits Jan 21, 2019

Ignore Path MTU Discovery on UDP server socket
It might help prevent Path MTU poisoning attacks.

@rgacogne rgacogne force-pushed the rgacogne:pmtu-dont branch from c3cdd3f to b707672 Apr 18, 2019

@rgacogne rgacogne added this to the rec-4.2.0-beta1 milestone Apr 18, 2019

@rgacogne

This comment has been minimized.

Copy link
Member Author

commented Apr 18, 2019

Move this PR into the rec-4.2.0-beta1 milestone. Now is the time to speak if you are against this change ;-)

@rgacogne rgacogne merged commit aecec57 into PowerDNS:master Apr 23, 2019

2 checks passed

ci/circleci: build Your tests passed on CircleCI!
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details

@rgacogne rgacogne deleted the rgacogne:pmtu-dont branch Apr 23, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.