[149936] in North American Network Operators' Group
RE: Common operational misconceptions
daemon@ATHENA.MIT.EDU (George Bonser)
Fri Feb 17 00:43:34 2012
From: George Bonser <gbonser@seven.com>
To: Owen DeLong <owen@delong.com>, Masataka Ohta
<mohta@necom830.hpcl.titech.ac.jp>
Date: Fri, 17 Feb 2012 05:42:36 +0000
In-Reply-To: <BE94FC87-74BF-4791-95D4-2336C3298F79@delong.com>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
=20
> -----Original Message-----
> From: Owen DeLong=20
> Sent: Thursday, February 16, 2012 8:48 PM
> To: Masataka Ohta
> Cc: nanog@nanog.org
> Subject: Re: Common operational misconceptions
>=20
>=20
> On Feb 16, 2012, at 5:11 PM, Masataka Ohta wrote:
>=20
> > Andreas Echavez wrote:
> >
> >> *Why disabling ICMP doesn't increase security and only hurts the
> web*
> >> *(path MTU discovery, diagnostics)
> >
> > That PMTUD works is a misconception.
> >
>=20
> It actually works where people have not made active efforts to break
> it.
Modern (RFC 4821) PMTUD that is used by default by Solaris and Microsoft do=
es not require ICMP and works well. For Linux you have to enable it:
/proc/sys/net/ipv4/tcp_mtu_probing =3D 1 or 2 (I believe the default is st=
ill 0 which means it relies on ICMP for PMTUD by default and you must turn =
on RFC 4821 PMTUD). If you're relying on ICMP for PMTUD, still, then yeah,=
you probably run into problems from time to time but fewer stacks use that=
method of PMTUD these days. =20
