[104359] in North American Network Operators' Group
Re: [NANOG] Microsoft.com PMTUD black hole?
daemon@ATHENA.MIT.EDU (Deepak Jain)
Wed May 7 18:07:31 2008
Date: Wed, 07 May 2008 18:07:06 -0400
From: Deepak Jain <deepak@ai.net>
To: Nathan Anderson/FSR <nathana@fsr.com>
In-Reply-To: <48220209.8000407@fsr.com>
Cc: nanog@merit.edu
Reply-To: deepak@ai.net
Errors-To: nanog-bounces@nanog.org
Nathan Anderson/FSR wrote:
> Nevertheless, the person I have been in contact with is naturally not
> the final decision-maker on this issue and is going to continue to pass
> the issue on up the chain of command for me. So although this issue is
> not over and I do not have a final verdict from MS yet, I felt that,
> given that I don't know how much time to expect to pass between now and
> when that final verdict is rendered, it would be appropriate to let
> everybody here know what I have learned thus far. Hopefully public
> dissemination of this information factoid will prevent others in a
> position similar to mine from having to helplessly beat their heads into
> their keyboards.
Let's also not ignore the generally overworked IT administrator at any
small or medium sized enterprise. He/she may not be (as many folks I've
run into are) of the mistaken impression that ICMP *is* bad and leaves
you vulnerable to all sorts of things like SMURF. There are even tools
out there that "test" your vulnerability by "pinging" you and do other
investigations.
I know of a tool that a major financial institution uses when certifying
your networks security -- that scrapes the version number from your
ESTMP banner to decide whether you comply or not (and other banners).
(Rather than actually testing for a specific vulnerability). Simply
blocking all of these packets from their test host gives you a high
passing score; possibly a perfect one. [Irony and humor aside...]
Many non-SP IT folks think they understand TCP, grudgingly accept UDP
for DNS from external sources and think everything else is bollocks.
Many *might* have a fit if they saw Microsoft accepting ICMPs because
that seems inconsistent with their knowledge of turn-the-knob network
security. To their view, their Linksys/Netgear/whathaveyou COTS
firewalls block everything too.
I don't think I'm exaggerating here.
Just a thought, not saying its a good one or whose fault it is...
Deepak Jain
AiNET
_______________________________________________
NANOG mailing list
NANOG@nanog.org
http://mailman.nanog.org/mailman/listinfo/nanog
