Full Disclosure mailing list archives
Re: [SPAM] Your daily internet traffic report
From: Michal Zalewski <lcamtuf () coredump cx>
Date: Sun, 17 Oct 2004 13:37:44 +0200 (CEST)
On Sun, 17 Oct 2004, Dave Horsfall wrote:
To those who seek to block ICMP, I say: "Let them." I'm sure that a certain Mr. Charles Darwin will soon sort them out.
What if I just don't set DF on my outgoing traffic, and block incoming ICMP? PMTUD is a silly mechanism in that it tends to rely on _diagnostic_ messages that were sometimes blocked for security reasons even before it was first proposed; and that ohne kludges, it breaks spectacularly and offers no easy recovery if these messages are blocked. The RFC said: The Internet Protocol is not designed to be absolutely reliable. The purpose of these control messages is to provide feedback about problems in the communication environment, not to make IP reliable. There are still no guarantees that a datagram will be delivered or a control message will be returned. Clearly indicating that it is a bad idea to rely on ICMP responses as absolutely essential for higher-order to protocols work well. Furthermore: Another case is when a datagram must be fragmented to be forwarded by a gateway yet the Don't Fragment flag is on. In this case the gateway must discard the datagram and may return a destination unreachable message. Notice "may". I do not even violate RFC by not sending back "fragmentation required but DF set" messages. This is why DF is often cleared by commercial NAT firewalls, proxies and so forth - to ensure reliability, rather than some added performance. -- ------------------------- bash$ :(){ :|:&};: -- Michal Zalewski * [http://lcamtuf.coredump.cx] Did you know that clones never use mirrors? --------------------------- 2004-10-17 13:29 -- http://lcamtuf.coredump.cx/photo/current/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: [SPAM] Your daily internet traffic report Willem Koenings (Oct 16)
- Re: [SPAM] Re: [SPAM] Your daily internet traffic report Hugo van der Kooij (Oct 16)
- Re: [SPAM] Your daily internet traffic report Frank de Wit (Oct 17)
- <Possible follow-ups>
- Re: [SPAM] Your daily internet traffic report lee . e . rian (Oct 16)
- Re: [SPAM] Re: [SPAM] Your daily internet traffic report Hugo van der Kooij (Oct 17)
- Re: [SPAM] Your daily internet traffic report Dave Horsfall (Oct 17)
- Re: [SPAM] Your daily internet traffic report Michal Zalewski (Oct 17)
- Re: [SPAM] Your daily internet traffic report Gary E. Miller (Oct 17)
- Re: [SPAM] Re: [SPAM] Your daily internet traffic report Hugo van der Kooij (Oct 17)
- ICMP (was: daily internet traffic report) Frank de Wit (Oct 17)
- Re: ICMP (was: daily internet traffic report) James Edwards (Oct 17)
- Re: ICMP (was: daily internet traffic report) Cedric Blancher (Oct 17)
- Re: ICMP (was: daily internet traffic report) James Edwards (Oct 17)
- Re: ICMP (was: daily internet traffic report) Cedric Blancher (Oct 17)
- Re: ICMP (was: daily internet traffic report) james edwards (Oct 18)
- Re: ICMP (was: daily internet traffic report) Cedric Blancher (Oct 18)
- Re: ICMP - Today India, Samoa, and Iran are in the tank - back to orginal thread DDoS, or No DDoS? vigilaro (Oct 18)