RE: Digital Island sponsors DoS attempt?

["Quibell, Marc" <mquibell () icn state ia us>]

I actually thought about that being a problem, only if you block ALL ICMP
messages. Any router beyond the blocking one will break PMTU discovery, so
yeah you're right. One could always deny specific ICMP types....

Marc 

-----Original Message-----
From: Bob K [mailto:melange () yip org]
Sent: Friday, October 26, 2001 1:45 PM
To: Quibell, Marc
Cc: nanog () merit edu
Subject: RE: Digital Island sponsors DoS attempt? 


On Fri, 26 Oct 2001, Quibell, Marc wrote:

> Finally, I do not believe PMTU uses pings to discover the PMTU. I believe
it
> uses TCP or UDP packets at the layers above IP, and it DOES use "ICMP
Packet
> Too big" responses (from the receiver) to cut it's packet size. So in
> reality, a router blocking ICMP from being routed through can still send
> these ICMP messages PMTU needs. Is this how you understand it?

Don't forget that routers or hosts beyond (from the point of view of the
host attempting PMTU) your ICMP-blocking router may have smaller MTUs than
the norm and may be trying to send ICMP errors back...

-- 
Bob <melange () yip org> | We're all wrong.