Hmmm. I thought the direction we were going is destination not source. I
know my source MTU but cant rely on destination MTU. That is where the
problems occur and fragmentation can be an issue. The "ICMP UNREACHABLE
WOULD_FRAGMENT" messages need to reach the source of the tranmission if
they set DF (dont fragment) to true.
I have also seen some very bizarre behavior specifically with Winblowz
clients setting fields in IP headers that they shouldnt even think of
going near. How does that quote go, "Networking would be great if it wasnt
for those pesky users." :)
Happy New Year,
Neil Sobrado
SUNY New Paltz
Voice (914) 257-3137
FAX (914) 257-6900
On Mon, 1 Jan 2001, Bill Royds wrote:
> What one needs to do is have a border {firewall, router, etc.} properly handle MTU
>path discovery but not allow the packets into the network to discover internal
>structure.
> Since a network administrator should know the smallest MSS/MTU for her network,
>the border gateway can reply with that for any MTU discovery packets, essentially
>proxying that part of ICMP.
> One does not let the ICMP packets pass through the gateway, but does implement
>the protocols necessary for proper network flow.
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Michael H. Warfield
> Sent: Monday, January 01, 2001 11:45
> To: Nancy Davis
> Cc: Olivier Kaloudoff; [EMAIL PROTECTED]; [EMAIL PROTECTED];
> [EMAIL PROTECTED]; Nancy Davis
> Subject: Re: List of "safe" ICMP types and codes
>
>
> On Mon, Jan 01, 2001 at 09:24:57AM -0700, Nancy Davis wrote:
> > > ]> Is there something wrong with blocking all inbound icmp?
> > > ]
> > > ]Yes, your network connectivity will greatly suffer. Performance Problems
> > > ]from failed Path MTU discovery and inability to debug connectivity problems.
>
> > I disagree. You can open a single host for network
> > checking with ping and traceroute, but you certainly
> > do not need to let your entire network be vulnerable
> > to ICMP probing.
>
> I think you badly missed the point. The question was NOT to open
> up the network to ALL ICMP (which would be foolish) but rather the question
> was about blocking all ICMP (which is almost as bad). The middle ground
> is to examine and accept those ICMP which are useful, safe, and (in some
> cases) necessary for proper functioning of the network. The most
> significant of that class is "ICMP UNREACHABLE WOULD_FRAGMENT". You seem to
> have totally missed the point of the MTU discovery issues and discussion.
>
> So tell me now... How would opening a firewall for inbound
> ICMP UNREACHABLE WOULD_FRAGMENT "let your entire network be vulnerable
> to ICMP probing"?
>
> > Nancy Davis
> > >
> > > here is an url for a description of such troubles;
> > > http://www.worldgate.ca/~marcs/mtu/
>
> You quoted the original posters URL for MTU issues, but didn't
> respond to those issues. Did you read the discussion over MTU discovery?
> Things break, they really do, when this breaks down. They can be real
> buggers to track down and fix if you don't realized what you've broken
> (been there, got that teeshirt).
>
> > > Olivier
>
> Mike
> --
> Michael H. Warfield | (770) 985-6132 | [EMAIL PROTECTED]
> (The Mad Wizard) | (678) 463-0932 | http://www.wittsend.com/mhw/
> NIC whois: MHW9 | An optimist believes we live in the best of all
> PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
