3.3.15 tcp_pmtu_discover

Information

The tcp_pmtu_discover parameter controls whether TCP MTU discovery is enabled.

Rationale:

The tcp_pmtu_discover parameter will be set to 0. The idea of MTU discovery is to avoid packet fragmentation between remote networks. This is achieved by discovering the network route and utilizing the smallest MTU size within that path when transmitting packets. When tcp_pmtu_discover is enabled, it leaves the system vulnerable to source routing attacks.

Solution

In /etc/tunables/nextboot, add the tcp_pmtu_discover entry:

no -p -o tcp_pmtu_discover=0

This makes the change permanent by adding the entry into /etc/tunables/nextboot

Default Value:

1

See Also

https://workbench.cisecurity.org/files/4119

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-7(12)

Plugin: Unix

Control ID: 66ae1181d51769b8ca66b5cec9c7a6325a02262cb2cd1e6b665efa082cbab6d1