nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: G root servers unreachable via ICMP(v6)

From: William Herrin <bill () herrin us>
Date: Tue, 16 May 2023 13:59:01 -0700
On Tue, May 16, 2023 at 1:38 PM Christopher Morrow
<morrowc.lists () gmail com> wrote:

On Tue, May 16, 2023 at 2:35 PM William Herrin <bill () herrin us> wrote:

Ping is used by some versions of traceroute which can help the


I think you mean 'icmp' here. yes. I contend that traceroute (udp or
icmp or tcp)
TOWARDS a destination can be sometimes useful, sure.


I mean ICMP echo-request, colloquially "ping." Traceroute using ICMP
needs the echo-reply from the destination to know that the trace
reached the destination, just like it needs port unreachable for UDP
and RST/SNYACK for TCP.



When working, it also lets the diagnostician know that the site's
firewall administrator didn't ignorantly decide to block all ICMP.
Which so very many ignorant firewall administrators do.


sure, but... 'ignorantly' seems to imply that their ideas of their best
practice(s) are different from yours. They may have a valid reason
to block icmp, even all icmp.


Since that breaks PMTUD on a public-facing service, I'm entirely
satisfied with my description of it being ignorant. There is, quite
simply, no valid reason to broadly block ICMP type 3 (destination
unreachable) messages to and from any public facing service. Not ever.

Regards,
Bill Herrin

-- 
William Herrin
bill () herrin us
https://bill.herrin.us/
Previous By Date Next
Previous By Thread Next

Current thread: