[30149] in North American Network Operators' Group
Re: Path-MTU-discovery
daemon@ATHENA.MIT.EDU (Richard A. Steenbergen)
Mon Jul 17 03:15:59 2000
Date: Mon, 17 Jul 2000 03:12:21 -0400 (EDT)
From: "Richard A. Steenbergen" <ras@e-gerbil.net>
To: Mikael Abrahamsson <swmike@swm.pp.se>
Cc: nanog@merit.edu
Message-ID: <Pine.BSF.4.21.0007170308000.95155-100000@overlord.e-gerbil.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Errors-To: owner-nanog-outgoing@merit.edu
On Mon, 17 Jul 2000, Mikael Abrahamsson wrote:
> On Mon, 17 Jul 2000, Patrick W. Gilmore wrote:
>
> > Wow, why would the ICMPs get lost?
>
> I think it's because of access lists etc. I am not the one who have
> set it up so I do not know. We've had this problem from two different
> companies (one for our national needs and one for our international
> needs). The international one has solved it with what you mention
> below.
Wouldn't it be unfortunante if the script kiddies decided to do DoS over
ICMP Need-Frag... This is a very bad situation we find ourselves in you
realize? The quicker we find a way to get rid of this rather bad hack the
better.
Rate-limits of need-frag can help, but many people are still in a
position where their filters leave need-frag wide open and they can't or
aren't currently rate limiting.
The PMTU-D blackhole detection-type checks help keep this current hack
alive a little longer. I'm not currently aware of the extent to which
various OS's implement this kind of thing, any ideas?
--
Richard A Steenbergen <ras@e-gerbil.net> http://www.e-gerbil.net/humble
PGP Key ID: 0x138EA177 (67 29 D7 BC E8 18 3E DA B2 46 B3 D8 14 36 FE B6)
