Skip to content
  • intrigeri's avatar
    Enable Packetization Layer Path MTU Discovery for IPv4. · 1d1c83de
    intrigeri authored
    If any system on the path to the remote host has a MTU smaller than the standard
    Ethernet one, then Tails will receive an ICMP packet asking it to send smaller
    packets (https://en.wikipedia.org/wiki/Path_MTU_Discovery). Our firewall will
    drop such ICMP packets to the floor, and then the TCP connection won't work
    properly. This can happen to any TCP connection, but so far it's been reported
    as breaking obfs4 for actual users.
    
    The other options would be:
    
    * arbitrarily set a smaller MTU; but it will lower performance for everybody
      (even the 99% of use cases that could actually very well handle the default,
      larger MTU); worse, the chosen number will be arbitrary, given Yawning says
      that the "only MTUs that are guaranteed to be correct (ignoring horrifically
      misconfigured hosts) are 576 bytes/1280 bytes (IPv4/IPv6)", and we would
      probably not want to set this small a MTU.
    
    * accept the ICMP messages that are needed to make Path MTU Discovery work;
      the security implications are unclear.
    
    So, instead we enable Packetization Layer PMTUD (RFC 4821). The value "1", that
    we set, will selectively enable probing if the kernel things it's stuck in
    a ICMP black hole. This should have a lower performance impact than the value
    "2", that makes the kernel always probe.
    
    Thanks to Yawning for the help! :)
    
    Will-Fix: #9268
    1d1c83de