[104393] in North American Network Operators' Group
Re: [NANOG] Microsoft.com PMTUD black hole?
daemon@ATHENA.MIT.EDU (Matthew Petach)
Mon May 12 12:19:43 2008
Date: Mon, 12 May 2008 09:19:06 -0700
From: "Matthew Petach" <mpetach@netflight.com>
To: nanog@nanog.org
In-Reply-To: <70D072392E56884193E3D2DE09C097A9F135@pascal.zaphodb.org>
Errors-To: nanog-bounces@nanog.org
On 5/7/08, Tomas L. Byrnes <tomb@byrneit.net> wrote:
> I'm not sure what the issue is here.
>
> Just about every modern firewall I've used has an option to enable PMTU
> on interfaces, while blocking all other ICMP.
>
> Is MS not running something manufactured in the last 10 years at their
> perimeter?
Unless things have changed drastically since we parted ways, it's a simple
ACL applied on all edge interfaces. It should be possible for them to modify
it to allow the list of ICMP subtypes listed at
http://www.cymru.com/Documents/icmp-messages.html
It would *certainly* make troubleshooting easier for the poor folks at
Microsoft, since one side effect of the edge filter being set that way
meant we couldn't traceroute outside the network; the port unreachable
messages never made it back, so everything outside the edge routers
was all just stars.
Of course, that was in a former lifetime, so it's entirely possible and
probable things have changed considerably since then. ^_^;;
Matt
(speaking only for myself, not for my current employer, and most
certainly not for my previous employer who I'm still somewhat bitter
at, not having gotten any of my hardware back yet...)
_______________________________________________
NANOG mailing list
NANOG@nanog.org
http://mailman.nanog.org/mailman/listinfo/nanog
