nanog mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Common operational misconceptions

From: George Bonser <gbonser () seven com>
Date: Fri, 17 Feb 2012 05:42:36 +0000
 

-----Original Message-----
From: Owen DeLong 
Sent: Thursday, February 16, 2012 8:48 PM
To: Masataka Ohta
Cc: nanog () nanog org
Subject: Re: Common operational misconceptions


On Feb 16, 2012, at 5:11 PM, Masataka Ohta wrote:


Andreas Echavez wrote:


*Why disabling ICMP doesn't increase security and only hurts the

web*

*(path MTU discovery, diagnostics)


That PMTUD works is a misconception.



It actually works where people have not made active efforts to break
it.


Modern (RFC 4821) PMTUD that is used by default by Solaris and Microsoft does not require ICMP and works well.  For 
Linux you have to enable it:

/proc/sys/net/ipv4/tcp_mtu_probing  = 1 or 2 (I believe the default is still 0 which means it relies on ICMP for PMTUD 
by default and you must turn on RFC 4821 PMTUD).  If you're relying on ICMP for PMTUD, still, then yeah, you probably 
run into problems from time to time but fewer stacks use that method of PMTUD these days.
Previous By Date Next
Previous By Thread Next

Current thread: