|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical RE: Digital Island sponsors DoS attempt?
On Fri, 2001-10-26 at 14:19, Quibell, Marc wrote: > > The answer is yes, that's what I'm saying. PMTU is fine on a LAN that could > be capable of Jumbo Frames, but is pretty much useless over the WAN or > internet since the PMTU has to use the lowest comon denominator MTU in the > path. Nobody I know, nor have I ever had a problem with "PMTU" and shutting > off ICMP routing. And no I do not believe it is used across the internet, > and if it does, it is probably hindering performance since it's probably > using a lower mtu than is allowed, such as 576 or smaller. It would also > have problems running across multi-level routing hierarchies. (I'll make the assumption here that PMTU really means PMTU-D in some cases) Using the lowest common denominator MTU in the path is exactly the point, and it's pretty hard to find out what that value is with PMTU-D. It *is* used across the internet, and while the MTU usually gets affected nearer to the edge than the core (PPPoE or other reasons), various forms of tunneling in the path can drop it below 1500 bytes. Also, I'd be interested in hearing any facts you might be able to present on why it would have any problem running across multi-level routing hierarchies, as I can't possibly see how the choice of routing protocol or hierarchy would affect the path MTU in the least. > No, there is a greater need for ICMP drops, and that is ping attacks. Still > happening to some of our customers. No one's going to sit there and filter > IP blocks. There are currently no viable uses or reasons for pinging into > private networks, except for possible troubleshooting, in which case the > admin would be involved. So, your ACLs can determine whether it's an admin or a user sending ICMP. That's an interesting piece of hardware you have there... And I don't know about everyone else, but if your network were truly 'private', I wouldn't be able to ping into it anyhow. As soon as you have users, connect to the internet, and expect to be able to reach the internet in a mostly unrestricted manner, your network doesn't fit my definition of 'private'. -- Nick Bastin OPNET Technologies
|