[Dshield] A perplexing question

John Kimbler kimblerj at naples.navy.mil
Thu Mar 15 11:19:59 GMT 2001


Thanks to all who responded!

I got to thinking about life, Ethernet, and everything last night and
realized that my question was pointless. The reason why I asked the question
in the first place was because I needed to know if I had to manipulate MTU
size for inbound and outbound packets (relative to the clients behind my
firewall) with a Packet Shaper. Irregardless of the firewall I use, I should
never have to change the MTU of inbound packets as long as I have the Packet
Shaper configured to change the MTU of the packets my clients are sending.
Even if Gauntlet negotiates a higher MTU with servers on the untrusted
network, it has to send packets back to the clients with the MTU that the
clients negotiated with the firewall when the connection was initially
established, otherwise the firewall could send packets to the clients that
are larger than what the clients expect them to be and the data would be
interpreted incorrectly. A simple example: The clients negotiate an MSS of
512 bytes, but the firewall sends a packet with an MSS of 1024. The client
would only "read" the first 512 bytes of the application layer data in the
packet and it would expect the next set of bytes to be the pre-amble and
start frame delimiter of the next packet. In technical terms that would be
what we call "bad" ;)

I put everything together in my head last night after reviewing the symptoms
of an MTU mismatch: Small packets (with an MSS less than or equal to the MSS
the client expects) are read correctly and passed to the application layer,
no problems. Large packets (with an MSS greater than the client expects) get
dropped or it gets passed to the application layer and the data is displayed
as garble (makes for some interesting looking email)...

Sorry to waste your time folks... :(

Dalantech
www.dalantech.com

-----Original Message-----
From: dshield-admin at dshield.org [mailto:dshield-admin at dshield.org]On
Behalf Of Johannes B. Ullrich
Sent: Thursday, March 15, 2001 1:26 AM
To: dshield at dshield.org
Subject: RE: [Dshield] A perplexing question


Actually, you can have the gauntlet firewall do the MTU adjustment and
traffic shaping for you if I remember right. I will follow with an
URL once I manage to find it. I remember some University (ksu.edu?)
doing some experiments with a Gauntlet firewall.... If I remember right,
the basic result was that larger MTU's are better. But both links have to be
setup right...


-----Original Message-----
From: dshield-admin at dshield.org [mailto:dshield-admin at dshield.org]On
Behalf Of John Kimbler
Sent: Wednesday, March 14, 2001 6:14 AM
To: dshield at dshield.org
Subject: [Dshield] A perplexing question


I'd like to use a Packet Shaper to modify the MTU size of the packets that
are sent and received by the clients on my network. My question is this:
Does a Gauntlet (or any) firewall change the MTU values that are negotiated
when a client behind a firewall connects to a destination that is on the
untrusted network (like www.yahoo.com, for example)? Or are the MTU values
negotiated from client to server and maintained, the firewall just acts as a
NAT server and only changes IP addresses? Thanks in advance to all who
respond. Please, if possible, include a url that I can reference for the
answer.

Dalantech

www.dalantech.com

_______________________________________________
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:
http://www1.dshield.org/mailman/listinfo/dshield

_______________________________________________
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:
http://www1.dshield.org/mailman/listinfo/dshield




More information about the list mailing list