1. 11 Jul, 2019 2 commits
  2. 07 May, 2015 1 commit
    • intrigeri's avatar
      Enable Packetization Layer Path MTU Discovery for IPv4. · 1d1c83de
      intrigeri authored
      If any system on the path to the remote host has a MTU smaller than the standard
      Ethernet one, then Tails will receive an ICMP packet asking it to send smaller
      packets (https://en.wikipedia.org/wiki/Path_MTU_Discovery). Our firewall will
      drop such ICMP packets to the floor, and then the TCP connection won't work
      properly. This can happen to any TCP connection, but so far it's been reported
      as breaking obfs4 for actual users.
      The other options would be:
      * arbitrarily set a smaller MTU; but it will lower performance for everybody
        (even the 99% of use cases that could actually very well handle the default,
        larger MTU); worse, the chosen number will be arbitrary, given Yawning says
        that the "only MTUs that are guaranteed to be correct (ignoring horrifically
        misconfigured hosts) are 576 bytes/1280 bytes (IPv4/IPv6)", and we would
        probably not want to set this small a MTU.
      * accept the ICMP messages that are needed to make Path MTU Discovery work;
        the security implications are unclear.
      So, instead we enable Packetization Layer PMTUD (RFC 4821). The value "1", that
      we set, will selectively enable probing if the kernel things it's stuck in
      a ICMP black hole. This should have a lower performance impact than the value
      "2", that makes the kernel always probe.
      Thanks to Yawning for the help! :)
      Will-Fix: #9268