Re: [SPAM] Your daily internet traffic report

[Michal Zalewski <lcamtuf () coredump cx>]

On Sun, 17 Oct 2004, Dave Horsfall wrote:

> To those who seek to block ICMP, I say: "Let them."  I'm sure that a
> certain Mr. Charles Darwin will soon sort them out.

What if I just don't set DF on my outgoing traffic, and block incoming
ICMP?

PMTUD is a silly mechanism in that it tends to rely on _diagnostic_
messages that were sometimes blocked for security reasons even before it
was first proposed; and that ohne kludges, it breaks spectacularly and
offers no easy recovery if these messages are blocked. The RFC said:

   The Internet Protocol is not designed to be absolutely reliable.  The
   purpose of these control messages is to provide feedback about
   problems in the communication environment, not to make IP reliable.
   There are still no guarantees that a datagram will be delivered or a
   control message will be returned.

Clearly indicating that it is a bad idea to rely on ICMP responses as
absolutely essential for higher-order to protocols work well. Furthermore:

      Another case is when a datagram must be fragmented to be forwarded
      by a gateway yet the Don't Fragment flag is on.  In this case the
      gateway must discard the datagram and may return a destination
      unreachable message.

Notice "may". I do not even violate RFC by not sending back "fragmentation
required but DF set" messages.

This is why DF is often cleared by commercial NAT firewalls, proxies and
so forth - to ensure reliability, rather than some added performance.

-- 
------------------------- bash$ :(){ :|:&};: --
 Michal Zalewski * [http://lcamtuf.coredump.cx]
    Did you know that clones never use mirrors?
--------------------------- 2004-10-17 13:29 --

   http://lcamtuf.coredump.cx/photo/current/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html