[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20041017132905.R88652@dekadens.coredump.cx>
From: lcamtuf at coredump.cx (Michal Zalewski)
Subject: [SPAM] Your daily internet traffic report
On Sun, 17 Oct 2004, Dave Horsfall wrote:
> To those who seek to block ICMP, I say: "Let them." I'm sure that a
> certain Mr. Charles Darwin will soon sort them out.
What if I just don't set DF on my outgoing traffic, and block incoming
ICMP?
PMTUD is a silly mechanism in that it tends to rely on _diagnostic_
messages that were sometimes blocked for security reasons even before it
was first proposed; and that ohne kludges, it breaks spectacularly and
offers no easy recovery if these messages are blocked. The RFC said:
The Internet Protocol is not designed to be absolutely reliable. The
purpose of these control messages is to provide feedback about
problems in the communication environment, not to make IP reliable.
There are still no guarantees that a datagram will be delivered or a
control message will be returned.
Clearly indicating that it is a bad idea to rely on ICMP responses as
absolutely essential for higher-order to protocols work well. Furthermore:
Another case is when a datagram must be fragmented to be forwarded
by a gateway yet the Don't Fragment flag is on. In this case the
gateway must discard the datagram and may return a destination
unreachable message.
Notice "may". I do not even violate RFC by not sending back "fragmentation
required but DF set" messages.
This is why DF is often cleared by commercial NAT firewalls, proxies and
so forth - to ensure reliability, rather than some added performance.
--
------------------------- bash$ :(){ :|:&};: --
Michal Zalewski * [http://lcamtuf.coredump.cx]
Did you know that clones never use mirrors?
--------------------------- 2004-10-17 13:29 --
http://lcamtuf.coredump.cx/photo/current/
Powered by blists - more mailing lists