nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [NANOG] Microsoft.com PMTUD black hole?

From: Hank Nussbacher <hank () efes iucc ac il>
Date: Fri, 9 May 2008 00:10:12 +0300 (IDT)
On Wed, 7 May 2008, Michael Sinatra wrote:


Nathan Anderson/FSR wrote:

Here is a brief update on the situation:

I have been in contact with someone at Microsoft's service operations
center, who has confirmed for me that MS does in fact block _all_ ICMP
at the edge of their network, that they are aware that this will in fact
break PMTUD, and that they have no current plans to change this practice
which they have implemented in the interest of security.


Although the need for your previous apology has already been questioned
in this forum, the confirmation that they block not only certain ICMP
types, but all ICMP, further vacates the need for any apology for
criticizing this behavior in a pubic forum.  It is disheartening for
those of us who use and support MSFT's products to learn that their
understanding of security lacks even the basic nuance to know not to
block an entire--critical--portion of the Internet Protocol.  Perhaps
they should also block _all_ TCP and UDP as well, and then we can move on.

I agree with Iljitsch that it happens frequently, but I think I am
justified in expecting more than that from Microsoft.  Anything less
would be unprofessional.


I wonder if MS knows about:
ICMP Packet Filtering v1.2 from 2003:
http://www.cymru.com/Documents/icmp-messages.html
Only been around 5 years or so.  Hopefully MS people reading this email 
will take note, read the entire page and implement what everyone else has 
been doing for a number of years.

-Hank


_______________________________________________
NANOG mailing list
NANOG () nanog org
http://mailman.nanog.org/mailman/listinfo/nanog
Previous By Date Next
Previous By Thread Next

Current thread: