[AusNOG] Best Practice for IPv4 PMTU discovery?

Dobbins, Roland rdobbins at arbor.net
Tue Feb 11 17:25:22 EST 2014


On Feb 11, 2014, at 11:34 AM, Paul Gear <ausnog at libertysys.com.au> wrote:

> Google searches have returned only hits which reinforce my current understanding [2][3][4][5].  Your collective wisdom on the point would appreciated.

They should allow Type-3/Code-4, as you indicate.

Unfortunately, a lot of Confused Information Systems Security Professionals and the like have absorbed the myth that all ICMP is bad and ought to be blocked, just as they've likewise absorbed the myth that DNS over TCP/53 represents a security threat.  

Generally speaking (not always), enterprises have considerably less clue with regards to networking, TCP/IP, and actual security than ISPs.  And so they dork up their DNS by blocking TCP/53, and dork up PMTU-D by blocking all ICMP, including Type-3/Code-4.

The problem isn't buggy code; it's lack of clue, which leads people to do things like put stateful firewalls in front of servers where they serve no useful purpose, to block all ICMP, to block TCP/53, to block UDP/53 DNS packets greater than 512 bytes in length (thus breaking EDNS0 & DNSSEC), et. al.

-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

	  Luck is the residue of opportunity and design.

		       -- John Milton



More information about the AusNOG mailing list