nanog mailing list archives
Re: [NANOG] Microsoft.com PMTUD black hole?
From: Deepak Jain <deepak () ai net>
Date: Wed, 07 May 2008 18:07:06 -0400
Nathan Anderson/FSR wrote:
Nevertheless, the person I have been in contact with is naturally not the final decision-maker on this issue and is going to continue to pass the issue on up the chain of command for me. So although this issue is not over and I do not have a final verdict from MS yet, I felt that, given that I don't know how much time to expect to pass between now and when that final verdict is rendered, it would be appropriate to let everybody here know what I have learned thus far. Hopefully public dissemination of this information factoid will prevent others in a position similar to mine from having to helplessly beat their heads into their keyboards.
Let's also not ignore the generally overworked IT administrator at any small or medium sized enterprise. He/she may not be (as many folks I've run into are) of the mistaken impression that ICMP *is* bad and leaves you vulnerable to all sorts of things like SMURF. There are even tools out there that "test" your vulnerability by "pinging" you and do other investigations. I know of a tool that a major financial institution uses when certifying your networks security -- that scrapes the version number from your ESTMP banner to decide whether you comply or not (and other banners). (Rather than actually testing for a specific vulnerability). Simply blocking all of these packets from their test host gives you a high passing score; possibly a perfect one. [Irony and humor aside...] Many non-SP IT folks think they understand TCP, grudgingly accept UDP for DNS from external sources and think everything else is bollocks. Many *might* have a fit if they saw Microsoft accepting ICMPs because that seems inconsistent with their knowledge of turn-the-knob network security. To their view, their Linksys/Netgear/whathaveyou COTS firewalls block everything too. I don't think I'm exaggerating here. Just a thought, not saying its a good one or whose fault it is... Deepak Jain AiNET _______________________________________________ NANOG mailing list NANOG () nanog org http://mailman.nanog.org/mailman/listinfo/nanog
Current thread:
- Re: [NANOG] Microsoft.com PMTUD black hole?, (continued)
- Re: [NANOG] Microsoft.com PMTUD black hole? Iljitsch van Beijnum (May 07)
- Re: [NANOG] Microsoft.com PMTUD black hole? Tomas L. Byrnes (May 07)
- Re: [NANOG] Microsoft.com PMTUD black hole? Nathan Anderson/FSR (May 07)
- Re: [NANOG] Microsoft.com PMTUD black hole? Tomas L. Byrnes (May 07)
- Re: [NANOG] Microsoft.com PMTUD black hole? Nathan Anderson/FSR (May 07)
- Re: [NANOG] Microsoft.com PMTUD black hole? Bjørn Mork (May 08)
- Re: [NANOG] Microsoft.com PMTUD black hole? Joel Jaeggli (May 08)
- Re: [NANOG] Microsoft.com PMTUD black hole? Iljitsch van Beijnum (May 08)
- Re: [NANOG] [OPSEC] Microsoft.com PMTUD black hole? Smith, Donald (May 08)
- Re: [NANOG] Microsoft.com PMTUD black hole? Hank Nussbacher (May 08)
- Re: [NANOG] Microsoft.com PMTUD black hole? Deepak Jain (May 07)
- Re: [NANOG] Microsoft.com PMTUD black hole? SML (May 07)
- Re: [NANOG] Microsoft.com PMTUD black hole? Tony Finch (May 08)
- Re: [NANOG] Microsoft.com PMTUD black hole? Blaine Christian (May 08)
- [NANOG] msnalerts () microsoft com invalid now (Was Re: Microsoft.com PMTUD black hole?) Mark Smith (May 16)
- [NANOG] msnalert () microsoft com valid (was Re: msnalerts () microsoft com invalid now) Mark Smith (May 16)