nanog mailing list archives
Re: Smallest Transit MTU
From: Iljitsch van Beijnum <iljitsch () muada com>
Date: Fri, 31 Dec 2004 10:20:57 +0100
On 31-dec-04, at 9:57, David Schwartz wrote:
I am defending the decision to configure firewalls (before ECN was deployed) to drop packets that had this bit set,
As a general rule, (dropping packets with bits set that you don't understand) this is a bad one, as this makes any kind of improvement to protocols unbelievably more difficult.
In this specific case, if you're paranoid enough to want to avoid hosts seeing these unknown bits, the right thing to do wouldn't be to drop the packets, but to clear the bits.
The view I am opposing is that this decision was unreasonable to make at the time it was made.
Not unreasonable, just bad. This thread started because of the problems people see when stupid firewall admins send out packets with the DF bit set and then ignore incoming packet too big ICMP messages. Now either of these can be done (although there is no reason for the latter), but NOT at the same time. All of this is well known since the dawn of time (well, over 10 years at least) but still a significant number of people can't seem to get it right. Expecting every firewall admin to know about each and every new bit in completely unrealistic.
He *does* have a point - the fact that the firewall knows about the new feature doesn't mean that the target host behind the firewall is able todo something reasonable/correct with the new feature....
Precisely. That's why you can't make the decision without knowing what you're talking about. For firewalls, one generally errs on the side of security and accepts that changes may result in inconvenience until configurations can be maintained.
Try doing this with mail headers and you'll see why this won't work.
All I'm saying is that, when possible and there's sufficient clue to maintain it, firewalls should be configured to block everything unknown, to the extent possible. This includes packets with bits set in the header whose meaning is unknown and which are mandated to be cleared by existing RFCs.
I'm not even going to bother looking up the RFCs. I'm 100% sure it says "set to 0 on transmit, ignore on recieve".
BTW, what exactly does ECN accomplish in the real world? I thought congestion was pretty much a problem of the past?
Current thread:
- Re: Smallest Transit MTU, (continued)
- Re: Smallest Transit MTU Robert E . Seastrom (Dec 30)
- Re: Smallest Transit MTU John Kristoff (Dec 30)
- Re: Smallest Transit MTU Robert E . Seastrom (Dec 31)
- RE: Smallest Transit MTU Scott Weeks (Dec 30)
- RE: Smallest Transit MTU Matthew Kaufman (Dec 30)
- RE: Smallest Transit MTU David Schwartz (Dec 30)
- Re: Smallest Transit MTU Valdis . Kletnieks (Dec 30)
- Re: Smallest Transit MTU Iljitsch van Beijnum (Dec 31)