What one needs to do is have a border {firewall, router, etc.} properly handle MTU
path discovery but not allow the packets into the network to discover internal
structure.
Since a network administrator should know the smallest MSS/MTU for her network, the
border gateway can reply with that for any MTU discovery packets, essentially proxying
that part of ICMP.
One does not let the ICMP packets pass through the gateway, but does implement the
protocols necessary for proper network flow.
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Michael H. Warfield
Sent: Monday, January 01, 2001 11:45
To: Nancy Davis
Cc: Olivier Kaloudoff; [EMAIL PROTECTED]; [EMAIL PROTECTED];
[EMAIL PROTECTED]; Nancy Davis
Subject: Re: List of "safe" ICMP types and codes
On Mon, Jan 01, 2001 at 09:24:57AM -0700, Nancy Davis wrote:
> > ]> Is there something wrong with blocking all inbound icmp?
> > ]
> > ]Yes, your network connectivity will greatly suffer. Performance Problems
> > ]from failed Path MTU discovery and inability to debug connectivity problems.
> I disagree. You can open a single host for network
> checking with ping and traceroute, but you certainly
> do not need to let your entire network be vulnerable
> to ICMP probing.
I think you badly missed the point. The question was NOT to open
up the network to ALL ICMP (which would be foolish) but rather the question
was about blocking all ICMP (which is almost as bad). The middle ground
is to examine and accept those ICMP which are useful, safe, and (in some
cases) necessary for proper functioning of the network. The most
significant of that class is "ICMP UNREACHABLE WOULD_FRAGMENT". You seem to
have totally missed the point of the MTU discovery issues and discussion.
So tell me now... How would opening a firewall for inbound
ICMP UNREACHABLE WOULD_FRAGMENT "let your entire network be vulnerable
to ICMP probing"?
> Nancy Davis
> >
> > here is an url for a description of such troubles;
> > http://www.worldgate.ca/~marcs/mtu/
You quoted the original posters URL for MTU issues, but didn't
respond to those issues. Did you read the discussion over MTU discovery?
Things break, they really do, when this breaks down. They can be real
buggers to track down and fix if you don't realized what you've broken
(been there, got that teeshirt).
> > Olivier
Mike
--
Michael H. Warfield | (770) 985-6132 | [EMAIL PROTECTED]
(The Mad Wizard) | (678) 463-0932 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
