[154506] in North American Network Operators' Group
Re: job screening question
daemon@ATHENA.MIT.EDU (Leo Bicknell)
Thu Jul 5 13:17:42 2012
Date: Thu, 5 Jul 2012 10:16:56 -0700
From: Leo Bicknell <bicknell@ufp.org>
To: nanog@nanog.org
Mail-Followup-To: nanog@nanog.org
In-Reply-To: <CAP-guGXoKDfpC_pwaQVxwjMoG29_bmJEM0Bs3KGwjXX-K0_BoA@mail.gmail.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
--6TrnltStXW4iwmi0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
In a message written on Thu, Jul 05, 2012 at 01:02:08PM -0400, William Herr=
in wrote:
> You implement a firewall on which you block all ICMP packets. What
> part of the TCP protocol (not IP in general, TCP specifically)
> malfunctions as a result?
>=20
> My questions for you are:
>=20
> 1. As an expert who follows NANOG, do you know the answer? Or is this
> question too hard?
I suspect you're looking for Path MTU Discovery as an answer.
> 2. Is the question too vague? Is there a clearer way to word it?
I believe if you understand ICMP, it could be considered to be
vague.
For instance, blocking all ICMP means that if the network breaks
during communication and a Host/Net unreachable is generated the
connection will have to go through a timeout rather than an immeidate
tear down. Similarly, blocking ICMP source quench might break
throttling in the 3 TCP implementations in the world that do that.
:)
> 3. Is there a better screening question I could pass to HR to ask and
> check the candidate's response against the supplied answer?
"A firewall is configured to block all ICMP packets and a system
administrator reports problems with TCP connections not transferring
data. What is the most likely cause?"
ICMP Packet-Too-Big being dropped and breaking PMTU discovery is
the correct answer.
When I study for my CCIE Recert every 2 years I find myself relearning
"The Cisco Answer", rather than the right answer. It's not that the
Cisco answers are often wrong per-se, but they teach the most likely
causes of things and want them back as the right answer. Cribbing
from their test materials and study guides puts the questions in familar
terms that your candidates are likely to have seen, making them less
likely to be thrown off by the question.
Unless you want to throw them off. Depends on the level of folks you
want to hire. I would answer your question with "I would never
implement a firewall that breaks all TCP." :)
--=20
Leo Bicknell - bicknell@ufp.org - CCIE 3440
PGP keys at http://www.ufp.org/~bicknell/
--6TrnltStXW4iwmi0
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (FreeBSD)
iQIVAwUBT/XMCLN3O8aJIdTMAQKa8g/+LYb3LpmLe0VQPG8Yahap4jdWJlkxq3dO
s4IbB4r7TEMG2/gLJRaqimPCnvOByTLQe6J+w37lE6NNSRRGsZps/85lu7j3KBLD
DgTm7Mgl73rGnIfViZHaLtRDtlyPLnrQgrd8vT6CgIvZwEqaZF4cb4n8PjbBHGqV
QCtDkLNNmhcf5m/f8FTzRP4RhYiVYIE4j0S+9skeog3f+d690VvDGbfi5NryQGIG
eoxLPh5sH4mMRT+rpTEwMyZQuIWP5kk+LRcpIKHuIaIlHYoPV7O+jRgqnEixNpJ2
3ztrg5dbNI74RsflzykFNJZvrJCPXjxl2Hn1isErangjDHgzaNpu8b2VI+4gCtZE
hbNbPoWQ5m8PDl3nVjsN1JXj7NQuApsdHB0Jkz0lEZg2v18ei1s7K6kWxaiSooOV
RzMuOETZ+tEq9xuDGg5CK8uGXZ9b3pkY1k1c4N3iaSGPMjTez0SiI2wavZ93ZR+5
TchCuq7ocd/vh4JLOxiCYBNgr+aIKEMJHOA0lfHIu72aqTjFQC7i41224ITyMRs6
Fl1l8AYCUCyq+dryt3L1lUS3OKJgu8qugk9T/v3N6mGOEBkn+kBeiPg2hgWTag+s
JS2CdMIFqShWlkYyZ4+gOXvKWlB5Nw20Ds0l0ecZhJHB9WZ9/KmjMW7iTltdzk6B
LPsyn0T6/Pc=
=rtNB
-----END PGP SIGNATURE-----
--6TrnltStXW4iwmi0--
