-
intrigeri authored
If any system on the path to the remote host has a MTU smaller than the standard Ethernet one, then Tails will receive an ICMP packet asking it to send smaller packets (https://en.wikipedia.org/wiki/Path_MTU_Discovery). Our firewall will drop such ICMP packets to the floor, and then the TCP connection won't work properly. This can happen to any TCP connection, but so far it's been reported as breaking obfs4 for actual users. The other options would be: * arbitrarily set a smaller MTU; but it will lower performance for everybody (even the 99% of use cases that could actually very well handle the default, larger MTU); worse, the chosen number will be arbitrary, given Yawning says that the "only MTUs that are guaranteed to be correct (ignoring horrifically misconfigured hosts) are 576 bytes/1280 bytes (IPv4/IPv6)", and we would probably not want to set this small a MTU. * accept the ICMP messages that are needed to make Path MTU Discovery work; the security implications are unclear. So, instead we enable Packetization Layer PMTUD (RFC 4821). The value "1", that we set, will selectively enable probing if the kernel things it's stuck in a ICMP black hole. This should have a lower performance impact than the value "2", that makes the kernel always probe. Thanks to Yawning for the help! :) Will-Fix: #9268
1d1c83de