nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Smallest Transit MTU

From: Iljitsch van Beijnum <iljitsch () muada com>
Date: Fri, 31 Dec 2004 10:20:57 +0100

On 31-dec-04, at 9:57, David Schwartz wrote:


I am defending the decision to configure firewalls (before
ECN was deployed) to drop packets that had this bit set,
As a general rule, (dropping packets with bits set that you don't understand) this is a bad one, as this makes any kind of improvement to protocols unbelievably more difficult.
In this specific case, if you're paranoid enough to want to avoid hosts seeing these unknown bits, the right thing to do wouldn't be to drop the packets, but to clear the bits. 


        The view I am opposing is that this decision was
unreasonable to make at the time it was made.
Not unreasonable, just bad. This thread started because of the problems people see when stupid firewall admins send out packets with the DF bit set and then ignore incoming packet too big ICMP messages. Now either of these can be done (although there is no reason for the latter), but NOT at the same time. All of this is well known since the dawn of time (well, over 10 years at least) but still a significant number of people can't seem to get it right. Expecting every firewall admin to know about each and every new bit in completely unrealistic.
He *does* have a point - the fact that the firewall knows about the new feature doesn't mean that the target host behind the firewall is able to 
do something reasonable/correct with the new feature....



        Precisely. That's why you can't make the decision without
knowing what you're talking about. For firewalls, one generally
errs on the side of security and accepts that changes may result
in inconvenience until configurations can be maintained.


Try doing this with mail headers and you'll see why this won't work.


All I'm saying is that, when possible and there's sufficient clue to
maintain it, firewalls should be configured to block everything
unknown, to the extent possible. This includes packets with bits
set in the header whose meaning is unknown and which are mandated
to be cleared by existing RFCs.
I'm not even going to bother looking up the RFCs. I'm 100% sure it says "set to 0 on transmit, ignore on recieve".
BTW, what exactly does ECN accomplish in the real world? I thought congestion was pretty much a problem of the past?
Previous By Date Next
Previous By Thread Next

Current thread: