Re: Transparent proxies and PMTUD on the (WWW) serverside

[Carson Gaspar <carson () taltos org>]

--On Wednesday, August 27, 2003 00:33:53 +0200 Mikael Olsson 
<mikael.olsson () clavister com> wrote:

> "Marcus J. Ranum" wrote:
> > > If an ALG supports transparent proxying, enables PMTUD, and does not
> > > intercept ICMP must fragment, the ALG is broken. File a high priority
> > > trouble ticket with your vendor.
> >
> > If an ALG understands PMTUD and ICMP it's not an ALG, it's a packet
> > filter masquerading as a proxy. All that stuff is totally below
> > application space.
>
> Um, no. I'll rephrase Carson's mail for him:
>
> "If an ALG-based firewall system that implements transparency on
> the client side has PMTUd on in the underlying operating system,
> and the transparency code doesn't handle ICMP 'must frag'
> errors, the firewall system is b0rken."
>
> So, yeah, ok, the ALG itself shouldn't care about ICMP errors.
> But the transparency function / packet filter that makes
> the ALG transparent surely should. And it doesn't make
> the firewall a packet filter in my book.

Exactly.

And Marcus, almost all ALGs "know" about PMTUD and ICMP, they just 
outsource it to the kernel (in a rare example of compartmentalized code ;-) 
). Once transparency is involved, the outsourcing is no longer complete, as 
specific packet re-writing instructions must be communicated to the kernel. 
In the Sidewinder case, they signed a bad outsourcing agreement ;-)

--
Carson

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards