dsa-texts/4.9.168-1+deb9u3: Recommend a value for net.ipv4.tcp_min_snd_mss

* RFC 791 says that all IPv4 hosts must be able to receive (possibly fragmented) datagrams up to 576 bytes, which implies a TCP MSS of 536 * RFC 1122 says that the default TCP MSS (if no options are given) is 536 * In practice most IPv4 connections have PMTU of at least 1400, implying a TCP MSS of at least 1360 So setting the minimum to 536 should be broadly compatible. It is also said that 500 is enough to avoid the denial-of-service attack.
author: Ben Hutchings <ben@decadent.org.uk> 2019-06-17 16:21:18 +0100
committer: Ben Hutchings <ben@decadent.org.uk> 2019-06-17 16:21:20 +0100
commit: c4610804844059b8ee20f8b65f2b790ecc3912b9 (patch)
tree: d038a2ab5e031cc55f487814d4e31ab2045e96ee /dsa-texts/4.9.168-1+deb9u3
parent: 5cb33d84f805e33ba06e74e57c2bcb8dfd12df5d (diff)
1 files changed, 3 insertions, 3 deletions
diff --git a/dsa-texts/4.9.168-1+deb9u3 b/dsa-texts/4.9.168-1+deb9u3
index 187169dc..4a039d46 100644
--- a/dsa-texts/4.9.168-1+deb9u3
+++ b/dsa-texts/4.9.168-1+deb9u3
@@ -51,9 +51,9 @@ CVE-2019-11479
     bandwidth required to deliver the same amount of data.
 
     This update introduces a new sysctl value to control the minimal MSS
-    (net.ipv4.tcp_min_snd_mss) which by default uses the formerly hard-
-    coded value of '48'. To fully protect your systems you need to raise
-    this setting to a value which fits your local network requirements.
+    (net.ipv4.tcp_min_snd_mss), which by default uses the formerly hard-
+    coded value of 48.  We recommend raising this to 536 unless you know
+    that your network requires a lower value.
 
 CVE-2019-11486
author	Ben Hutchings <ben@decadent.org.uk>	2019-06-17 16:21:18 +0100
committer	Ben Hutchings <ben@decadent.org.uk>	2019-06-17 16:21:20 +0100
commit	c4610804844059b8ee20f8b65f2b790ecc3912b9 (patch)
tree	d038a2ab5e031cc55f487814d4e31ab2045e96ee /dsa-texts/4.9.168-1+deb9u3
parent	5cb33d84f805e33ba06e74e57c2bcb8dfd12df5d (diff)