Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: how to block ICMP tunneling?

From: Dru <genisis () istar ca>
Date: Sat, 24 Jul 1999 20:51:19 -0400 (EDT)

On Tue, 20 Jul 1999, Ryan Russell wrote:


Indeed.  I've really come to dislike ICMP.  It's just too "out of band" for it's
own
good.  Does anyone know if this is being improved in IPV6?  (Not that it will
neccessarily do any good, but I don't know where else one would "fix" it.)
For Path MTU discovery, shouldn't there be an explicit way to get the
exact MTU discovered?  Say... as the SYN packet travels to the server,
have the routers decrement a "client path MTU" field to the smallest
MTU along the way.  Same with the SYN-ACK on the way back
with a "server path MTU".  There would have to be a way for it to change in
the middle, too, for re-routes.


The Internet Draft on ICMPv6 has some interesting bits:

http://www.ietf.org/internet-drafts/draft-ietf-ipngwg-icmp-v3-00.txt

The author of the draft states that it does not describe the procedures
for using these messages to achieve functions like Path MTU discovery as
such procedures are described in other documents.

The draft has made some modifications to RFC 2463.

Dru
Previous By Date Next
Previous By Thread Next

Current thread: