[43840] in North American Network Operators' Group
RE: Digital Island sponsors DoS attempt?
daemon@ATHENA.MIT.EDU (Quibell, Marc)
Fri Oct 26 14:57:06 2001
Message-ID: <EF4A9841BCC9D5119E28009027923DF0137075@yosemite.icn.state.ia.us>
From: "Quibell, Marc" <mquibell@icn.state.ia.us>
To: 'Bob K' <melange@yip.org>
Cc: nanog@merit.edu
Date: Fri, 26 Oct 2001 13:47:14 -0500
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Errors-To: owner-nanog-outgoing@merit.edu
I actually thought about that being a problem, only if you block ALL ICMP
messages. Any router beyond the blocking one will break PMTU discovery, so
yeah you're right. One could always deny specific ICMP types....
Marc
-----Original Message-----
From: Bob K [mailto:melange@yip.org]
Sent: Friday, October 26, 2001 1:45 PM
To: Quibell, Marc
Cc: nanog@merit.edu
Subject: RE: Digital Island sponsors DoS attempt?
On Fri, 26 Oct 2001, Quibell, Marc wrote:
> Finally, I do not believe PMTU uses pings to discover the PMTU. I believe
it
> uses TCP or UDP packets at the layers above IP, and it DOES use "ICMP
Packet
> Too big" responses (from the receiver) to cut it's packet size. So in
> reality, a router blocking ICMP from being routed through can still send
> these ICMP messages PMTU needs. Is this how you understand it?
Don't forget that routers or hosts beyond (from the point of view of the
host attempting PMTU) your ICMP-blocking router may have smaller MTUs than
the norm and may be trying to send ICMP errors back...
--
Bob <melange@yip.org> | We're all wrong.
