[104373] in North American Network Operators' Group
Re: [NANOG] Microsoft.com PMTUD black hole?
daemon@ATHENA.MIT.EDU (Hank Nussbacher)
Thu May 8 17:10:46 2008
Date: Fri, 9 May 2008 00:10:12 +0300 (IDT)
From: Hank Nussbacher <hank@efes.iucc.ac.il>
To: Michael Sinatra <michael@rancid.berkeley.edu>
In-Reply-To: <482206FE.3030000@rancid.berkeley.edu>
Cc: nanog@merit.edu
Errors-To: nanog-bounces@nanog.org
On Wed, 7 May 2008, Michael Sinatra wrote:
> Nathan Anderson/FSR wrote:
>> Here is a brief update on the situation:
>>
>> I have been in contact with someone at Microsoft's service operations
>> center, who has confirmed for me that MS does in fact block _all_ ICMP
>> at the edge of their network, that they are aware that this will in fact
>> break PMTUD, and that they have no current plans to change this practice
>> which they have implemented in the interest of security.
>
> Although the need for your previous apology has already been questioned
> in this forum, the confirmation that they block not only certain ICMP
> types, but all ICMP, further vacates the need for any apology for
> criticizing this behavior in a pubic forum. It is disheartening for
> those of us who use and support MSFT's products to learn that their
> understanding of security lacks even the basic nuance to know not to
> block an entire--critical--portion of the Internet Protocol. Perhaps
> they should also block _all_ TCP and UDP as well, and then we can move on.
>
> I agree with Iljitsch that it happens frequently, but I think I am
> justified in expecting more than that from Microsoft. Anything less
> would be unprofessional.
I wonder if MS knows about:
ICMP Packet Filtering v1.2 from 2003:
http://www.cymru.com/Documents/icmp-messages.html
Only been around 5 years or so. Hopefully MS people reading this email
will take note, read the entire page and implement what everyone else has
been doing for a number of years.
-Hank
_______________________________________________
NANOG mailing list
NANOG@nanog.org
http://mailman.nanog.org/mailman/listinfo/nanog
