HPE Community
Operating System - HP-UX
1834484 Members
3317 Online
110067 Solutions
New Discussion

Correct ip_pmtu_strategy

 
SOLVED
Go to solution
Darrell Tschakert
Regular Advisor

‎04-12-2007 02:43 AM

‎04-12-2007 02:43 AM

Correct ip_pmtu_strategy

Hi,
I am finding conflicting recommendations for the ip_pmtu_strategy. I even find conflcting values for the default value of ip_pmtu_strategy. Our ip_pmtu_stategy is set to "1" which I always understood was the default. Now HP security bulletin says that "2" is the default.

We run HP-UX 11.23. We have patch PHNE_35182 which superceds PHNE_32606. We Quality Pack for March, 2007 loaded.

I know what each of the values does and I know that patches have been created to prevent DOS with certain value settings.

I just need to know what the setting should, if that is possible.

thanks,

Darrell Tschakert
I'll add a quote when I think of one.
0 Kudos
10 REPLIES 10
Pete Randall
Outstanding Contributor

‎04-12-2007 02:50 AM

‎04-12-2007 02:50 AM

Re: Correct ip_pmtu_strategy

Darrell,

Perhaps this will help:

http://www.securityfocus.com/advisories/8473


Pete

Pete
0 Kudos
Darrell Tschakert
Regular Advisor

‎04-12-2007 02:57 AM

‎04-12-2007 02:57 AM

Re: Correct ip_pmtu_strategy

Pete,
No, sorry, but this does not help. It is part of the problem. It contains the conflicting info that I mentioned in my posting. More current HP Security Bulletins such as HPSBUX01137 SSRT5954 rev.9 give different recommendations.

Thanks,

Darrell Tschakert
I'll add a quote when I think of one.
0 Kudos
Pete Randall
Outstanding Contributor

‎04-12-2007 03:07 AM

‎04-12-2007 03:07 AM

Re: Correct ip_pmtu_strategy

My interpretation says to set it to 1 or 3, 1 being preferable but requiring patches - unless, of course, I'm missing something!


Pete

Pete
0 Kudos
Darrell Tschakert
Regular Advisor

‎04-12-2007 03:17 AM

‎04-12-2007 03:17 AM

Re: Correct ip_pmtu_strategy

Yes, Pete, that may be true. But your bulletin was written in 2005. Please read my previous post which lists a more current bulletin written in 2007. It states the following:
-------------------------------------
Previous revisions of this Security Bulletin recommended setting
ip_pmtu_strategy to 0 or 3 as a workaround. Patches or updates
to resolve the issue are now available. After these patches or updates
are installed the workaround will no longer be necessary or recommended.
The ip_pmtu_strategy parameter should be restored to the default value of 2.
--------------------------------------
The document conflict in their recommendations. That later document claims that default is 2. The earlier says 1. Our is set to 1 and has never been changed to avoid the DOS problem.

Certainly someone out there must have a 11.23 system and has thought this one out after reading the HPSBUX01137 SSRT5954 rev.9. If so, what was your conclusion.

thanks,

Darrell Tschakert
I'll add a quote when I think of one.
0 Kudos
John Payne_2
Honored Contributor

‎04-12-2007 05:13 AM

‎04-12-2007 05:13 AM

Solution

Re: Correct ip_pmtu_strategy

Darrell,

I suspect the "Default being 2" message in the bulletin was a typo.

:/root# ndd -h ip_pmtu_strategy

ip_pmtu_strategy:

Set the Path MTU Discovery strategy:
0 Disables Path MTU Discovery. For any destination not directly
connected to the host, a maximum MTU of 576 is used;
1 Enables Path MTU Discovery;
2 Obsoleted, must not be used;
3 Disables Path MTU Discovery. For any destination not directly
connected to the host, the maximum MTU of the link is used.

When Path MTU Discovery is enabled all outbound datagrams have
the "Don't Fragment" bit set. This should result in notification
from any intervening gateway that needs to forward a datagram
down a path that would require additional fragmentation. When the
ICMP "Fragmentation Needed" message is received, IP updates its
MTU for the remote host. If the responding gateway implements the
recommendations for gateways in RFC1191, then the next hop MTU
will be included in the "Fragmentation Needed" message, and IP
will use it. If the gateway does not provide next hop
information, then IP will reduce the MTU to the next lower value
taken from a table of "popular" media MTUs.

[0,3] Default: 1


If you want to be sure, you can email bulletin_corrections@hp.com and security_alert@hp.com and ask those guys, who are the ones that write those.

Hope it helps

John
Spoon!!!!
0 Kudos
Darrell Tschakert
Regular Advisor

‎04-12-2007 05:37 AM

‎04-12-2007 05:37 AM

Re: Correct ip_pmtu_strategy

John,
I sent my well crafted questions off to the addresses that you gave me. They both bounced. The first time, I cut and pasted the addresses and the second time I entered them by hand. Are you sure about these addresses???

I'll add a quote when I think of one.
0 Kudos
John Payne_2
Honored Contributor

‎04-12-2007 09:50 AM

‎04-12-2007 09:50 AM

Re: Correct ip_pmtu_strategy

Darrell,

Sorry about that, I don't know what's wrong with me today. Those should be dashes, not underscores.

security-alert@hp.com
bulletin-corrections@hp.com

John
Spoon!!!!
0 Kudos
Darrell Tschakert
Regular Advisor

‎04-12-2007 11:38 PM

‎04-12-2007 11:38 PM

Re: Correct ip_pmtu_strategy

John,
The first address appears to be valid. The second bounced as indicated below:

>> The following message to was undeliverable.

However, I sent a second test email to the above address and, this time, it did not bounce. So, ??????.

Darrell T.
I'll add a quote when I think of one.
0 Kudos
Darrell Tschakert
Regular Advisor

‎04-12-2007 11:47 PM

‎04-12-2007 11:47 PM

Re: Correct ip_pmtu_strategy

John,
Correction: the bulletin-corrections@hp.com address bounced both times it was tried.

DT
I'll add a quote when I think of one.
0 Kudos
Darrell Tschakert
Regular Advisor

‎04-17-2007 05:14 AM

‎04-17-2007 05:14 AM

Re: Correct ip_pmtu_strategy

I sent a message off to the Security Bulletin people, but have not heard back yet. Hopefully this week.

I am going to leave ip_pmtu_strategy at "1" for now.

thanks,

Darrell Tschakert


I'll add a quote when I think of one.
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.