Re: Too bigs are sacred, was: Re: IPv6 addressing for core network
On 10 feb 2011, at 0:26, David Freedman wrote: Unless every packet you emit is ≤ the minimum MTU (1280), then, you need to be able to receive TOOBIG messages. Can you think of a packet type I will emit from my publically numbered backbone interface which may solicit a TOOBIG that I'll have to care about? What if you're trying to connect to your routers with 1500-byte+ POS, ATM, ethernet jumbo or what have you interfaces from some system with a big fat jumboframe MTU but some 100 Mbps ethernet firewall or office network in the middle? If you're willing to accept TCP or UDP from somewhere, it's a bad idea to filter ICMP coming in from that same place.
Re: Too bigs are sacred, was: Re: IPv6 addressing for core network
Iljitsch van Beijnum wrote: On 10 feb 2011, at 0:26, David Freedman wrote: Unless every packet you emit is ≤ the minimum MTU (1280), then, you need to be able to receive TOOBIG messages. Can you think of a packet type I will emit from my publically numbered backbone interface which may solicit a TOOBIG that I'll have to care about? What if you're trying to connect to your routers with 1500-byte+ POS, ATM, ethernet jumbo or what have you interfaces from some system with a big fat jumboframe MTU but some 100 Mbps ethernet firewall or office network in the middle? If you're willing to accept TCP or UDP from somewhere, it's a bad idea to filter ICMP coming in from that same place. I think the point I'm making is, that I'm not, I wont accept any traffic to these backbone interfaces from outside the AS, this means no management sessions from outside the network! (and in the rare, emergency cases where something does need to get in from the outside, policy may dictate acl hole-punching to support it) In the case of people having an unreachable core (i.e MPLS hidden or RFC1918/ULA/LinkLocal), this happens already, if they decide to expose this somehow (MPLS TTL propagation, and/or allowing the ICMP out) then it is only to assist troubleshooting (not that I accept RFC1918/ULA sourced traffic from such networks at my edge , anyway), these people are doing this by design, I think thats the point I'm trying to get across, if you will never need to process TOOBIG in your design, there is no need to accept it. -- David Freedman Group Network Engineering Claranet Group
Re: Too bigs are sacred, was: Re: IPv6 addressing for core network
On Thu, 10 Feb 2011 12:15:52 GMT, David Freedman said: these people are doing this by design, I think thats the point I'm trying to get across, if you will never need to process TOOBIG in your design, there is no need to accept it. And how many networks break PMTUD because their design says they never need to deal with ICMP so there's no need to accept it, or break DNS because TCP/53 is only used for zone transfers that should never happen, or... pgppAX6ykO5Gn.pgp Description: PGP signature
Too bigs are sacred, was: Re: IPv6 addressing for core network
On 9 feb 2011, at 18:30, David Freedman wrote: (yes, even ICMP TOOBIG can be filtered safely if you have designed things in a sane way) NO. Even if you run with 1280-byte MTUs everywhere so you'd think path MTU discovery wouldn't be needed, this can still cause problems with IPv6-to-IPv4 translators.
Re: Too bigs are sacred, was: Re: IPv6 addressing for core network
Iljitsch van Beijnum wrote: On 9 feb 2011, at 18:30, David Freedman wrote: (yes, even ICMP TOOBIG can be filtered safely if you have designed things in a sane way) NO. Even if you run with 1280-byte MTUs everywhere so you'd think path MTU discovery wouldn't be needed, this can still cause problems with IPv6-to-IPv4 translators. Calm down, I think you misunderstand, I'm suggesting that you don't design your infrastructure in such a way that your backbone/infrastructure links ever have to receive TOOBIG messages from outside your AS and work with these, your backbone links are of course free to send TOOBIG out! Dave. -- David Freedman Group Network Engineering Claranet Group
Re: Too bigs are sacred, was: Re: IPv6 addressing for core network
On Feb 9, 2011, at 9:50 AM, David Freedman wrote: Iljitsch van Beijnum wrote: On 9 feb 2011, at 18:30, David Freedman wrote: (yes, even ICMP TOOBIG can be filtered safely if you have designed things in a sane way) NO. Even if you run with 1280-byte MTUs everywhere so you'd think path MTU discovery wouldn't be needed, this can still cause problems with IPv6-to-IPv4 translators. Calm down, I think you misunderstand, I'm suggesting that you don't design your infrastructure in such a way that your backbone/infrastructure links ever have to receive TOOBIG messages from outside your AS and work with these, your backbone links are of course free to send TOOBIG out! Dave. -- David Freedman Group Network Engineering Claranet Group Unless every packet you emit is ≤ the minimum MTU (1280), then, you need to be able to receive TOOBIG messages. Owen
Re: Too bigs are sacred, was: Re: IPv6 addressing for core network
Unless every packet you emit is ¾ the minimum MTU (1280), then, you need to be able to receive TOOBIG messages. Can you think of a packet type I will emit from my publically numbered backbone interface which may solicit a TOOBIG that I'll have to care about? I can only think of three cases, all ICMP: 1. An unreachable of some kind (I don't care if this is delivered or not, and why would I be sending them from the backbone? Even rate-limited? If I send them at all this is the responsibility of the edge) 2. A Time Exceed, again, don't care if this is delivered or not 3. A TOOBIG, if I'm getting a TOOBIG in response to my TOOBIG then we all have bigger problems to worry about :) Dave. Owen -- David Freedman Claranet http://www.clara.net