Hi, > Furthermore ICMP is _mandatory_ for MTU path discovery to work. So be ready > for all kind of non functioning stuff if you transfer larger packets than the > MTU somewhere in the middle (such as trying to squeeze a 1500 byte ethernet > packet into a IPSec tunnel with a MTU around 1426). TCP/IP is built in the > way that it reacts on these ICMP MTU mismatch messages when packets get > dropped on the way due to too big size. TCP can adapt but if ICMP is filtered > away, then TCP will not notice and a endless retransmission dance begins. The > odd thing there is that it "kinda works". Sometimes its just slow and > sometimes nothing works. We use IPSec in our network heavily and we have seen > that happening with large corporations such as Networksolutions.com (which is > one of the oldest companies in the internet, they should know this stuff!). > T1his can be a big issue. So if I ever find a consultant telling me I should > filter away ICMP just because, I will kick him out of the door immediately. > The onl y reason where this could be valid is if you still have Windows95 machines in your network due to the "ping-of-death" bug. But if you have that, then you're hopelessly lost anyway.
This is basically only true for ipv6. In ipv4 network devices can fragment. This does not mean, that I would consider filtering icmp a reasonable idea. > > Let's face it. Firewalls and NAT have been built to break the internet in the > way it has been intended with all kinds of strange side effects. Thinking > they are the only defence to protect you is so wrong. Social engineering > brings hackers behind firewalls and they attack from with inside. A well > secured localhost is way more important. I'm using machines on public IP's > without firewall or NAT in between over 20 years and the issues I've seen > have all been controllable (but I'm not an interesting target to hack like a > Bank). On the other hand NAT & Firewalls (and their admins) have turned out > to be a way bigger problem. NAT and Firewalls are not the biggest problem, but there is just too many people around configuring these devices with a limitted understanding, of how the internet works. regrards Robert -- Robert Meyer r.me...@net-wizard.org _______________________________________________ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog