Re: [NANOG] [OPSEC] Microsoft.com PMTUD black hole?

["Smith, Donald" <Donald.Smith () qwest com>]

A few comments on your comments below.


RM=for(1)
{manage_risk(identify_risk(product[i++]) &&
(identify_threat[product[i++]))}
Donald.Smith () qwest com giac 

> -----Original Message-----
> From: opsec-bounces () ietf org [mailto:opsec-bounces () ietf org] 
> On Behalf Of Iljitsch van Beijnum
> Sent: Thursday, May 08, 2008 3:24 AM
> To: Joel Jaeggli
> Cc: guillermo () gont com ar; opsec () ietf org; NANOG list
> Subject: Re: [OPSEC] [NANOG] Microsoft.com PMTUD black hole?
>
> On 8 mei 2008, at 9:53, Joel Jaeggli wrote:
>
> > Oddly enough there is a draft on the subject of icmp filtering
> > recomendations is making the rounds.
>
> >
> http://tools.ietf.org/wg/opsec/draft-gont-opsec-icmp-filtering-00.txt
>
> > The opsec working group (opsec () ietf org) and the authors would
> > appreciate feedback from operators on the subject.
>
> Speaking as someone who isn't interested in reading an 
> explanation of  
> what happens when the message is filtered for every ICMP 
> message known  
> to man, I find this a completely useless document: I can't find the  
> recommendations. Either they're there but impossible to find by  
> looking at the table of contents or searching for "recommend", or  
> they're not there in which case the title is EXTREMELY misleading.

I believe a table of what to filter where was recommended.
I hope that table includes filtering and ratelimiting from, through, and
to.

However blindly accepting recommendations without understanding the
possibly ramifications 
such filtering can have on your network is not wise.

> Also:
>
> 2.1.1.5.4. Operational/interoperability impact if blocked Filtering  
> this error message breaks the Path-MTU Discovery mechansim described  
> in [RFC1191].
>
> This is completely insufficient because it doesn't mention 
> that 99% of  
> all TCP traffic on today's internet uses PMTUD and filtering these  
> messages leads to broken connectivity towards destinations that have  
> an MTU lower than the source (lower than 1500 in practice).

I suspect your statistics. I don't believe the number is anywhere near
99% but haven't seen a study that would support any actual % numbers of
traffic that relies on PMTUD. If your aware of such a study/research I
would be interested in reviewing the results.

Again filtering THROUGH a device is probably not advisable filtering TO
your device might be advisable.

> Please spell check and five levels of numbering is considered 
> bad style.
> _______________________________________________
> OPSEC mailing list
> OPSEC () ietf org
> https://www.ietf.org/mailman/listinfo/opsec


This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly 
prohibited and may be unlawful.  If you have received this communication 
in error, please immediately notify the sender by reply e-mail and destroy 
all copies of the communication and any attachments.

_______________________________________________
NANOG mailing list
NANOG () nanog org
http://mailman.nanog.org/mailman/listinfo/nanog