3.3.17 udp_pmtu_discover

Information

The udp_pmtu_discover parameter controls whether MTU discovery is enabled.

Rationale:

The udp_pmtu_discover parameter will be set to 0. The idea of MTU discovery is to avoid packet fragmentation between remote networks. This is achieved by discovering the network route and utilizing the smallest MTU size within that path when transmitting packets. When udp_pmtu_discover is enabled, it leaves the system vulnerable to source routing attacks.

Solution

In /etc/tunables/nextboot, add the udp_pmtu_discover entry:

no -p -o udp_pmtu_discover=0

This makes the change permanent by adding the entry into /etc/tunables/nextboot

Default Value:

1

See Also

https://workbench.cisecurity.org/files/4119

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-7(12)

Plugin: Unix

Control ID: 4e206462a330dffbf0b8bf0f98d61c503926a352b22cf4770240b05fef995dfe