> On 11 Mar 2016, at 11:40, Robert Meyer <r.me...@net-wizard.org> wrote: > > Hi, > >> Furthermore ICMP is _mandatory_ for MTU path discovery to work. So be ready >> for all kind of non functioning stuff if you transfer larger packets than >> the MTU somewhere in the middle (such as trying to squeeze a 1500 byte >> ethernet packet into a IPSec tunnel with a MTU around 1426). TCP/IP is >> built in the way that it reacts on these ICMP MTU mismatch messages when >> packets get dropped on the way due to too big size. TCP can adapt but if >> ICMP is filtered away, then TCP will not notice and a endless retransmission >> dance begins. The odd thing there is that it "kinda works". Sometimes its >> just slow and sometimes nothing works. We use IPSec in our network heavily >> and we have seen that happening with large corporations such as >> Networksolutions.com (which is one of the oldest companies in the internet, >> they should know this stuff!). T1his can be a big issue. So if I ever find a >> consultant telling me I should filter away ICMP just because, I will kick >> him out of the door immediately. The on > ly reason where this could be valid is if you still have Windows95 machines > in your network due to the "ping-of-death" bug. But if you have that, then > you're hopelessly lost anyway. > > This is basically only true for ipv6. In ipv4 network devices > can fragment. This does not mean, that I would consider > filtering icmp a reasonable idea.
they COULD fragment but 99% of the routers do drop and send back a ICMP back > >> >> Let's face it. Firewalls and NAT have been built to break the internet in >> the way it has been intended with all kinds of strange side effects. >> Thinking they are the only defence to protect you is so wrong. Social >> engineering brings hackers behind firewalls and they attack from with >> inside. A well secured localhost is way more important. I'm using machines >> on public IP's without firewall or NAT in between over 20 years and the >> issues I've seen have all been controllable (but I'm not an interesting >> target to hack like a Bank). On the other hand NAT & Firewalls (and their >> admins) have turned out to be a way bigger problem. > > NAT and Firewalls are not the biggest problem, but there is just > too many people around configuring these devices with a limitted > understanding, of how the internet works. I can only confirm that..
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
