nanog mailing list archives
RE: Digital Island sponsors DoS attempt?
From: "Quibell, Marc" <mquibell () icn state ia us>
Date: Fri, 26 Oct 2001 13:19:51 -0500
The answer is yes, that's what I'm saying. PMTU is fine on a LAN that could be capable of Jumbo Frames, but is pretty much useless over the WAN or internet since the PMTU has to use the lowest comon denominator MTU in the path. Nobody I know, nor have I ever had a problem with "PMTU" and shutting off ICMP routing. And no I do not believe it is used across the internet, and if it does, it is probably hindering performance since it's probably using a lower mtu than is allowed, such as 576 or smaller. It would also have problems running across multi-level routing hierarchies. No, there is a greater need for ICMP drops, and that is ping attacks. Still happening to some of our customers. No one's going to sit there and filter IP blocks. There are currently no viable uses or reasons for pinging into private networks, except for possible troubleshooting, in which case the admin would be involved. Finally, I do not believe PMTU uses pings to discover the PMTU. I believe it uses TCP or UDP packets at the layers above IP, and it DOES use "ICMP Packet Too big" responses (from the receiver) to cut it's packet size. So in reality, a router blocking ICMP from being routed through can still send these ICMP messages PMTU needs. Is this how you understand it? Marc -----Original Message----- From: Valdis.Kletnieks () vt edu [mailto:Valdis.Kletnieks () vt edu] Sent: Friday, October 26, 2001 12:22 PM To: Quibell, Marc Cc: nanog () merit edu Subject: Re: Digital Island sponsors DoS attempt? On Fri, 26 Oct 2001 12:01:38 CDT, "Quibell, Marc" said:
That's all fine Valdis, but no one does MTU check on the internet or pmtu checks. This is all LAN-based...
Umm.. I'm confused. What's all LAN-based? Or you saying that PMTU Discovery isn't used *at all*? Or that it's not *widely* used, mostly because a large chunk of the net *is* stuck at 1500-byte MTUs, and a large fraction of the rest has broken PMTU discovery because of boneheaded ICMP filtering? -- Valdis Kletnieks Operating Systems Analyst Virginia Tech
Current thread:
- Re: Fwd: Re: Digital Island sponsors DoS attempt?, (continued)
- Re: Fwd: Re: Digital Island sponsors DoS attempt? Alex Bligh (Oct 26)
- Re: Fwd: Re: Digital Island sponsors DoS attempt? Steve Schaefer (Oct 26)
- Re: Fwd: Re: Digital Island sponsors DoS attempt? Adam Herscher (Oct 26)
- Re: Fwd: Re: Digital Island sponsors DoS attempt? Valdis . Kletnieks (Oct 25)
- Re: Fwd: Re: Digital Island sponsors DoS attempt? Leo Bicknell (Oct 25)
- Re: Digital Island sponsors DoS attempt? Bandy Rush (Oct 25)
- Re: Fwd: Re: Digital Island sponsors DoS attempt? Jason Forester (Oct 25)
- RE: Fwd: Re: Digital Island sponsors DoS attempt? Borchers, Mark (Oct 26)
- RE: Digital Island sponsors DoS attempt? Quibell, Marc (Oct 26)
- Re: Digital Island sponsors DoS attempt? Valdis . Kletnieks (Oct 26)
- RE: Digital Island sponsors DoS attempt? Quibell, Marc (Oct 26)
- RE: Digital Island sponsors DoS attempt? Bob K (Oct 26)
- Re: Digital Island sponsors DoS attempt? Valdis . Kletnieks (Oct 26)
- RE: Digital Island sponsors DoS attempt? Nicholas Bastin (Oct 26)
- RE: Digital Island sponsors DoS attempt? Quibell, Marc (Oct 26)
- RE: Digital Island sponsors DoS attempt? Quibell, Marc (Oct 26)
- Re: Digital Island sponsors DoS attempt? Valdis . Kletnieks (Oct 26)
- Fwd: Re: Digital Island sponsors DoS attempt? Rodney Thayer (Oct 26)
- RE: Digital Island sponsors DoS attempt? Quibell, Marc (Oct 26)
- Re: Fwd: Re: Digital Island sponsors DoS attempt? Paul A Vixie (Oct 27)
- Re: Fwd: Re: Digital Island sponsors DoS attempt? Brian Whalen (Oct 27)
(Thread continues...)