nanog mailing list archives
Re: [NANOG] [OPSEC] Microsoft.com PMTUD black hole?
From: "Smith, Donald" <Donald.Smith () qwest com>
Date: Thu, 8 May 2008 11:19:41 -0600
A few comments on your comments below. RM=for(1) {manage_risk(identify_risk(product[i++]) && (identify_threat[product[i++]))} Donald.Smith () qwest com giac
-----Original Message----- From: opsec-bounces () ietf org [mailto:opsec-bounces () ietf org] On Behalf Of Iljitsch van Beijnum Sent: Thursday, May 08, 2008 3:24 AM To: Joel Jaeggli Cc: guillermo () gont com ar; opsec () ietf org; NANOG list Subject: Re: [OPSEC] [NANOG] Microsoft.com PMTUD black hole? On 8 mei 2008, at 9:53, Joel Jaeggli wrote:Oddly enough there is a draft on the subject of icmp filtering recomendations is making the rounds.http://tools.ietf.org/wg/opsec/draft-gont-opsec-icmp-filtering-00.txtThe opsec working group (opsec () ietf org) and the authors would appreciate feedback from operators on the subject.Speaking as someone who isn't interested in reading an explanation of what happens when the message is filtered for every ICMP message known to man, I find this a completely useless document: I can't find the recommendations. Either they're there but impossible to find by looking at the table of contents or searching for "recommend", or they're not there in which case the title is EXTREMELY misleading.
I believe a table of what to filter where was recommended. I hope that table includes filtering and ratelimiting from, through, and to. However blindly accepting recommendations without understanding the possibly ramifications such filtering can have on your network is not wise.
Also: 2.1.1.5.4. Operational/interoperability impact if blocked Filtering this error message breaks the Path-MTU Discovery mechansim described in [RFC1191]. This is completely insufficient because it doesn't mention that 99% of all TCP traffic on today's internet uses PMTUD and filtering these messages leads to broken connectivity towards destinations that have an MTU lower than the source (lower than 1500 in practice).
I suspect your statistics. I don't believe the number is anywhere near 99% but haven't seen a study that would support any actual % numbers of traffic that relies on PMTUD. If your aware of such a study/research I would be interested in reviewing the results. Again filtering THROUGH a device is probably not advisable filtering TO your device might be advisable.
Please spell check and five levels of numbering is considered bad style. _______________________________________________ OPSEC mailing list OPSEC () ietf org https://www.ietf.org/mailman/listinfo/opsec
This communication is the property of Qwest and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments. _______________________________________________ NANOG mailing list NANOG () nanog org http://mailman.nanog.org/mailman/listinfo/nanog
Current thread:
- Re: [NANOG] Microsoft.com PMTUD black hole?, (continued)
- Re: [NANOG] Microsoft.com PMTUD black hole? Nathan Anderson/FSR (May 07)
- Re: [NANOG] Microsoft.com PMTUD black hole? Tomas L. Byrnes (May 07)
- Re: [NANOG] Microsoft.com PMTUD black hole? Iljitsch van Beijnum (May 07)
- Re: [NANOG] Microsoft.com PMTUD black hole? Tomas L. Byrnes (May 07)
- Re: [NANOG] Microsoft.com PMTUD black hole? Nathan Anderson/FSR (May 07)
- Re: [NANOG] Microsoft.com PMTUD black hole? Tomas L. Byrnes (May 07)
- Re: [NANOG] Microsoft.com PMTUD black hole? Nathan Anderson/FSR (May 07)
- Re: [NANOG] Microsoft.com PMTUD black hole? Bjørn Mork (May 08)
- Re: [NANOG] Microsoft.com PMTUD black hole? Joel Jaeggli (May 08)
- Re: [NANOG] Microsoft.com PMTUD black hole? Iljitsch van Beijnum (May 08)
- Re: [NANOG] [OPSEC] Microsoft.com PMTUD black hole? Smith, Donald (May 08)
- Re: [NANOG] Microsoft.com PMTUD black hole? Hank Nussbacher (May 08)
- Re: [NANOG] Microsoft.com PMTUD black hole? Deepak Jain (May 07)
- Re: [NANOG] Microsoft.com PMTUD black hole? SML (May 07)
- Re: [NANOG] Microsoft.com PMTUD black hole? Tony Finch (May 08)
- Re: [NANOG] Microsoft.com PMTUD black hole? Blaine Christian (May 08)
- [NANOG] msnalerts () microsoft com invalid now (Was Re: Microsoft.com PMTUD black hole?) Mark Smith (May 16)
- [NANOG] msnalert () microsoft com valid (was Re: msnalerts () microsoft com invalid now) Mark Smith (May 16)