Commit 1d1c83de authored by intrigeri's avatar intrigeri

Enable Packetization Layer Path MTU Discovery for IPv4.

If any system on the path to the remote host has a MTU smaller than the standard
Ethernet one, then Tails will receive an ICMP packet asking it to send smaller
packets (https://en.wikipedia.org/wiki/Path_MTU_Discovery). Our firewall will
drop such ICMP packets to the floor, and then the TCP connection won't work
properly. This can happen to any TCP connection, but so far it's been reported
as breaking obfs4 for actual users.

The other options would be:

* arbitrarily set a smaller MTU; but it will lower performance for everybody
  (even the 99% of use cases that could actually very well handle the default,
  larger MTU); worse, the chosen number will be arbitrary, given Yawning says
  that the "only MTUs that are guaranteed to be correct (ignoring horrifically
  misconfigured hosts) are 576 bytes/1280 bytes (IPv4/IPv6)", and we would
  probably not want to set this small a MTU.

* accept the ICMP messages that are needed to make Path MTU Discovery work;
  the security implications are unclear.

So, instead we enable Packetization Layer PMTUD (RFC 4821). The value "1", that
we set, will selectively enable probing if the kernel things it's stuck in
a ICMP black hole. This should have a lower performance impact than the value
"2", that makes the kernel always probe.

Thanks to Yawning for the help! :)

Will-Fix: #9268
parent 07d2380a
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment