ICMP_Scanning_45
ICMP Usage in Scanning
45
Copyright Ó Ofir Arkin, 2000
http://www.sys-security.com
The value of the next-hop MTU field should be set to the size in bytes of the largest datagram that
could be forwarded, along the path of the original datagram, without being fragmented by this
router. The size includes IP header plus IP data and no lower level headers should be included.
Because every router should be able to forward a datagram of 68 bytes without fragmenting it,
the link MTU field should not contain a value less than 68.
B.4 The TCP MSS (Maximum Segment Size) Option and PATH MTU Discovery
Process
The RFC specify that a host that is doing Path MTU Discovery must not send datagrams larger
than 576 bytes unless the receiving host grants him permission.
When we are establishing a TCP connection both sides announce the maximum amount of data
in one packet that should be sent by the remote system The maximum segment size, MSS (if
one of the ends does not specify an MSS, it defaults to 536 there is no permission from the
other end to send more than this amount). The packet generated would be, normally, 40 bytes
larger than the MSS; 20 bytes for the IP header and 20 bytes for the TCP header. Most systems
announce an MSS that is determined from the MTU on the interface that the traffic to the remote
system passes out from the system through.
Each side upon receiving the MSS of the other side should not send any segments larger than
the MSS received, regardless of the PMTU. After receiving the MSS value the Path MTU
Discovery process will start to take affect. We will send our IP packets with the DF bit set allowing
us to recognize points in the path to our destination that cannot process packets larger as the
MSS of the destination host plus 40 bytes. When such an ICMP error message arrives, we should
lower the PMTU to a path (according to the link MTU field, or if not used, to use the rules
regarding the old implementation) and retransmit. The value of the link MTU cannot be higher
than the MSS of the destination host. When retransmission occurs resulting from ICMP type 3
code 4 error message, the congestion windows should not change, but slow start should be
initiated. The process continues until we adjust the correct PMTU of a path (not receiving ICMP
error messages from the intermediate routers) which will allow us to fragment at the TCP layer
which is much more efficient than at the IP layer.