RE: Digital Island sponsors DoS attempt?

From: Quibell, Marc (no email)
Date: Fri Oct 26 2001 - 14:19:51 EDT

The answer is yes, that's what I'm saying. PMTU is fine on a LAN that could
be capable of Jumbo Frames, but is pretty much useless over the WAN or
internet since the PMTU has to use the lowest comon denominator MTU in the
path. Nobody I know, nor have I ever had a problem with "PMTU" and shutting
off ICMP routing. And no I do not believe it is used across the internet,
and if it does, it is probably hindering performance since it's probably
using a lower mtu than is allowed, such as 576 or smaller. It would also
have problems running across multi-level routing hierarchies.

No, there is a greater need for ICMP drops, and that is ping attacks. Still
happening to some of our customers. No one's going to sit there and filter
IP blocks. There are currently no viable uses or reasons for pinging into
private networks, except for possible troubleshooting, in which case the
admin would be involved.

Finally, I do not believe PMTU uses pings to discover the PMTU. I believe it
uses TCP or UDP packets at the layers above IP, and it DOES use "ICMP Packet
Too big" responses (from the receiver) to cut it's packet size. So in
reality, a router blocking ICMP from being routed through can still send
these ICMP messages PMTU needs. Is this how you understand it?


-----Original Message-----
From: [mailto:]
Sent: Friday, October 26, 2001 12:22 PM
To: Quibell, Marc
Subject: Re: Digital Island sponsors DoS attempt?

On Fri, 26 Oct 2001 12:01:38 CDT, "Quibell, Marc" said:
> That's all fine Valdis, but no one does MTU check on the internet or pmtu
> checks. This is all LAN-based...

Umm.. I'm confused. What's all LAN-based?

Or you saying that PMTU Discovery isn't used *at all*?

Or that it's not *widely* used, mostly because a large chunk of the net *is*
stuck at 1500-byte MTUs, and a large fraction of the rest has broken PMTU
discovery because of boneheaded ICMP filtering?

				Valdis Kletnieks
				Operating Systems Analyst
				Virginia Tech

Hosted Email Solutions

Invaluement Anti-Spam DNSBLs

Powered By FreeBSD   Powered By FreeBSD