Re: Transparent proxies and PMTUD on the (WWW) serverside

[Rick Murphy <rmurphy () mitretek org>]

At 08:49 PM 8/27/2003, Carson Gaspar wrote:


> --On Wednesday, August 27, 2003 8:44 AM -0400 Rick Murphy 
> <rmurphy () mitretek org> wrote:
>
> > Again, why? The proxy should be slurping up bits from the client and
> > passing them up to the server (and vice-versa). The underlying IP 
> > stack
> > handles PMTUd. There's no reason for the proxy to need to know that 
> > the
> > PMTUd is taking place. (Or for the client to need to know, for that
> > matter.)
>
> Bzzzzt.  Not if you enable transparent (or other) proxying which 
> maintains the original source address (as was specified in the 
> original example). This is usually given as a requirement for web 
> servers, or other services that "need" to know who their clients are, 
> and get unhappy when every request is from their own firewall.
>
> Of course, the definition of "proxy" becomes fuzzy. The same code that 
> rewrites the outbound connection to fake it's source address needs to 
> handle all relevant response packets, including (but not limited to) 
> ICMP Would Fragment. Call it part of the proxy or not, it still needs 
> to work correctly.

Well, now you've got me thinking.
The Gauntlet plug-gw does act transparently as above; it can rewrite 
the source address to be non-local because the transparency support 
allows it (you can bind to any address.) There's no "rewriting" going 
on.
In that set of circumstances, I still think the outbound PMTUd will 
work correctly. However, there are some circumstances where it's not 
going to work. Rats, wish I had a system to experiment with.
        -Rick

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards