Re: Hardening the TCP/IP Stack Qt. - EnablePMTUDiscovery
From: Ray (res0cu5i@verizon@net)
Date: 03/20/03
- Next message: calderara serge: "Re: Restrict Software installation??"
- Previous message: Ray: "Re: Hardening the TCP/IP Stack Qt. - KeepAliveTime"
- In reply to: Keith W. McCammon: "Re: Hardening the TCP/IP Stack Qt. - EnablePMTUDiscovery"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Ray" <res0cu5i@verizon@net> Date: Thu, 20 Mar 2003 11:02:44 -0500
It's nice to have a second opinion.
Thanks
Ray
"Keith W. McCammon" <km@km.com> wrote in message
news:uQFYjev7CHA.1740@TK2MSFTNGP12.phx.gbl...
> > This will prevent an attacker of forcing an MTU to a very small value &
> > overworking the stack.
>
> Yes, but an overactive (chatty) application on a remote network may
overwork
> the stack as well. You need to make sure you have a balanace between
> safeguards and performance requirements.
>
> > Once I disable EnablePMTUDiscovery how does this
> > affect my backup server on a different subnet, meaning when backups are
> > performed will the packets only be 576 bytes?
>
> Yep.
>
> > Our routers handle packets
> > that are about 1500 bytes. By comparison, 576 bytes seems rather small.
> Is
> > this value of 576 bytes hard-coded, or can it be specified to a
different
> > value (for instance 800 bytes)?
>
> You may be able to deal with the 576 limitation by overriding the MTU on
the
> interface (under tcpip parameters in the registry), but I'm really not
sure
> if this will work. I would think that it would override pmtu discovery,
but
> I'm not certain.
>
> --
> Keith W. McCammon
>
>
>
- Next message: calderara serge: "Re: Restrict Software installation??"
- Previous message: Ray: "Re: Hardening the TCP/IP Stack Qt. - KeepAliveTime"
- In reply to: Keith W. McCammon: "Re: Hardening the TCP/IP Stack Qt. - EnablePMTUDiscovery"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
