On Mon, 21 Aug 2006, Patrick M. Hausen wrote:

> > minumum of 576 if you'd like ~100% success,)

> Got it. But 576 doesn't guarantee 100% success, even if you have
> a fair chance ;-)

That's why the ~ was there-- sure, some submarines and possibly some .mil
satcom links can't get to your site- *shrug* - if you're in that game,
you already should know the limitations.

> IIRC any IP implementation must be able to receive at least 576
> bytes sized frames. But there is no mandation of a minimum path MTU
> of that size. 256 bytes or something in that order was common on
> dialup modem links.

Then set it to 256- the point is that you can get very reasonable values
of functionality without transiting ICMP. The times I've done this (back
when there was a *lot* more dial-up than there is today,) I've had very,
very few issues.

> > But since you control PMTU on your network, you can simply shrink it
> > enough and allow the ICMP traffic between trusted nodes only. Solves the
> > problem.

> I was thinking of the not so knowledgable server/firewall admin
> blocking ICMP without those measures. And, what's so bad about
> ICMP "df needed" messages? Of course I'm not proposing to allow _all_
> types of ICMP through.

Everything you let in opens the gates a little more, who can say how much
creep is bad for one site or another? My point was simply that you can
limit things to what's under your control and still be effective.

Perfect is still the enemy of good enough.

Paul D. Robertson "My statements in this message are personal opinions
paul@compuwar.net which may have no basis whatsoever in fact."
http://fora.compuwar.net Infosec discussion boards

firewall-wizards mailing list