On Tue, May 16, 2023 at 4:59 PM William Herrin <b...@herrin.us> wrote: > > On Tue, May 16, 2023 at 1:38 PM Christopher Morrow > <morrowc.li...@gmail.com> wrote: > > On Tue, May 16, 2023 at 2:35 PM William Herrin <b...@herrin.us> wrote: > > > Ping is used by some versions of traceroute which can help the > > > > I think you mean 'icmp' here. yes. I contend that traceroute (udp or > > icmp or tcp) > > TOWARDS a destination can be sometimes useful, sure. > > I mean ICMP echo-request, colloquially "ping." Traceroute using ICMP
I find you are being oddly imprecise today! :) "ping" is an application. icmp type 0 code 0 is 'echo-reply' icmp type 8 code 0 is 'echo' (request) The traceroute application on some platforms defaults to UDP and offers ICMP as a transport. On some platforms it defaults to ICMP and (may) offer UDP as a transport. I was simply trying to be clear about 'ping' being an application and the underlying protocol (icmp) being what traceroute be using. > needs the echo-reply from the destination to know that the trace > reached the destination, just like it needs port unreachable for UDP > and RST/SNYACK for TCP. > > > > > When working, it also lets the diagnostician know that the site's > > > firewall administrator didn't ignorantly decide to block all ICMP. > > > Which so very many ignorant firewall administrators do. > > > > sure, but... 'ignorantly' seems to imply that their ideas of their best > > practice(s) are different from yours. They may have a valid reason > > to block icmp, even all icmp. > > Since that breaks PMTUD on a public-facing service, I'm entirely blocking inbound (to your site) some/all ICMP is a decision that some folk may choose for a host of reasons. Since the tooling discussed so far isn't sending icmp-unreachable types at the g-root server we can't really know if they block 'all icmp', as much as: "well it sure seems like they drop icmp-echo!" It seems like all we know so far is that G-root and/or its network provider(s) don't like seeing packets destined to their service which are not service bearing packets, I don't think we have evidence that they don't accept icmp unreachables though, I'd imagine that as a root op they know better than to drop unreachables since the may serve (probably have to serve) edsn0 type replies at times. The lion's share of traffic (actual dns traffic) to an authoritative server is small inbound udp/53 (or tcp/53 for which I think OARC has numbers on ratios actually?) packets. Their replies MAY be large(r) packets which may be subject to pmtud problems, of which they'll be super familiar with handling.
