[Openswan dev] Proposal for dealing with ICMP black holes for IPsec

Herbert Xu herbert at gondor.apana.org.au
Mon Jul 5 08:40:15 CEST 2004

On Sun, Jul 04, 2004 at 02:37:36PM +0200, Ken Bantoft wrote:
> Interesting idea - tcp/500 connection (or maybe it should be port 4500, to 
> deal with NAT boxes.  I assume you want to do this as early as possible, 
> eg: Phase 1, however until we have a PH2 we can't do a secure TCP, only 
> authenticated.  

Encrypting it is not very useful since the information we're tryint
to convey is public anyway.

Authenticating it is useful to a certain extent.  What we're trying to
prevent is for an attacker to lower our MTU unnecessarily.  However there
are limits to what we can do since the information we're trying to obatin
can only be there through modification of the TCP header.

So the easiest thing to do would be to verify the MSS obtained in this
way by sending a packet of mtu(MSS) + 1 bytes and checking whether it

We'll also be repeating this process periodically (once every ten minutes)
as long as the tunnel is not idle, so even if we do get an incorrect MTU
it is not fatal.

I should also point out that if the attacker can inject packets into
the network and our firewalls are configured properly, then it is rather
trivial for them to lower the path MTU anyway by sending us a need-to-frag

Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert at gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

More information about the Dev mailing list