Re: [CentOS] Re: Sendmail and pmtu discovery

[Ralph Angenendt]

Scott Silva wrote:
 on 10-14-2008 6:24 AM Ralph Angenendt spake the following:

  So you basically broke your internet connection because of stupid
  customers? No, there isn't anything you can do on your side -
  especially if you don't know how large their MTU is set (which you
  cannot discover, as they forbid you to do so). So you can only hope
  that you get exactly the same MTU as they have (and that there is
  nothing inbetween which has a lower MTU).
 
  It is their problem. If they don't want to play by the rules, they
  should have to sit out the problems they themselves created.

 Sometimes you can't be so hard headed when you are dealing with
 customers. You usually are trying to get them to give money to YOU,
 not your competitor.

 If I told my customers that It is your problem, I would no longer
 have customers to worry about!

But your competitor wouldn't be able to send them mails either :)

As said, they deliberately broke their internet connection, so there isn't
much you can do except setting your MTU to an extremely low value and hope 
that there's nothing in between which has an even lower MTU.

So your best choice would be to do some consulting and give them some advice
on what they did wrong and how they can selectively block ICMP types (for 
example redirect and such).

Cheers,

Ralph

pgprQSeZxMvj2.pgp
Description: PGP signature
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Re: Sendmail and pmtu discovery

[Les Mikesell]

Ralph Angenendt wrote:


As said, they deliberately broke their internet connection, so there isn't
much you can do except setting your MTU to an extremely low value and hope 
that there's nothing in between which has an even lower MTU.


It doesn't have to be extremely low, it just has to be low enough.  The 
usual reason for needing to be less than the 1500 bytes permitted by 
ethernet would be using some sort of tunnel protocol for PPOE or a VPN. 
 1460 might keep everybody happy.


--
  Les Mikesell
   [EMAIL PROTECTED]

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Re: Sendmail and pmtu discovery

[Sean Carolan]

Thanks for the information.  If I understand this correctly, the
client would have to convince the owner of each and every router hop
along the way to disable PMTU discovery if he insists on dropping all
ICMP packets?

And Scott hit the nail on the head with this comment:

 Sometimes you can't be so hard headed when you are dealing with customers. You
 usually are trying to get them to give money to YOU, not your competitor.

 If I told my customers that It is your problem, I would no longer have
 customers to worry about!

If you've ever dealt with with one of these paranoid Mordac-type
security managers you know exactly what I'm talking about.  In our
case the path of least resistance was to disable pmtu discovery, and
tell the customer that we've done all we possibly can to alleviate the
issue on our end.  Hopefully they come to their senses and allow ICMP
packets like every major ISP and mail provider on the Internet.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Re: Sendmail and pmtu discovery

[Ralph Angenendt]

Les Mikesell wrote:
 Ralph Angenendt wrote:

 As said, they deliberately broke their internet connection, so there isn't
 much you can do except setting your MTU to an extremely low value and 
 hope that there's nothing in between which has an even lower MTU.

 It doesn't have to be extremely low, it just has to be low enough.  The  
 usual reason for needing to be less than the 1500 bytes permitted by  
 ethernet would be using some sort of tunnel protocol for PPOE or a VPN.  
 1460 might keep everybody happy.

Might being the operative word here, yes.

Ralph

pgprG3ULaNFXt.pgp
Description: PGP signature
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Re: Sendmail and pmtu discovery

[Chris Boyd]

On Oct 14, 2008, at 1:59 PM, Sean Carolan wrote:


If you've ever dealt with with one of these paranoid Mordac-type
security managers you know exactly what I'm talking about.  In our
case the path of least resistance was to disable pmtu discovery, and
tell the customer that we've done all we possibly can to alleviate the
issue on our end.  Hopefully they come to their senses and allow ICMP
packets like every major ISP and mail provider on the Internet.


Yes, but then you have broken your equipment, and possibly lost the  
ability to communicate with many more customers.


Yes, I've dealt with these people.  If they turn off all ICMP, they  
often drop fragments as well, making the problem even worse. You can  
sometimes get them to listen by asking them if their Internet access  
seems a little weird in that some sites work sometimes or downloads  
are slow or they can't get some email :-)


They'll usually say yes and then you might be able to get them to  
listen, and hopefully send them a bill.


--Chris
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos