North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: Digital Island sponsors DoS attempt?

  • From: Quibell, Marc
  • Date: Fri Oct 26 17:26:43 2001

Hierarchial routing, not routing protocols: from far-end points to backbone
and back out. Different interfaces support different MTU's. In this context,
let's say your lowest common denominator starts at (A maximum of) 64000 MTU,
from your GBit. Jumbo frames. Somewhere in that range I think. Let's say
your pipe to the internet is an OC-3, an edge router. What is that, 9172
MTU? Your MTU has just been sliced and diced and PMTU-D, from it's return
"Packet too big" ICMPs has cut it down to size. You basically said it
already, and in fact the RFC defines this as well, though does not go into
further detail. This is what I think is meant by hierarchial routing. 

Concerning ACLs, I don't see a problem filtering ICMPs using source and
destination addresses. An admin's source and destination address or just
his/her source being permitted? I believe there are also methods of
filtering ICMP types as well, as defined in RFC1700?
Yes Networks are private, and using firewalls help keep them that way. Can
you login to a private network? Just because you can ping does not grant you
access..And just because they have an internet line does not make them
public domain.

Marc 



-----Original Message-----
From: Nicholas Bastin [mailto:[email protected]]
Sent: Friday, October 26, 2001 4:08 PM
To: Quibell, Marc
Cc: '[email protected]'; [email protected]
Subject: RE: Digital Island sponsors DoS attempt?


On Fri, 2001-10-26 at 14:19, Quibell, Marc wrote:
> 
> The answer is yes, that's what I'm saying. PMTU is fine on a LAN that
could
> be capable of Jumbo Frames, but is pretty much useless over the WAN or
> internet since the PMTU has to use the lowest comon denominator MTU in the
> path. Nobody I know, nor have I ever had a problem with "PMTU" and
shutting
> off ICMP routing. And no I do not believe it is used across the internet,
> and if it does, it is probably hindering performance since it's probably
> using a lower mtu than is allowed, such as 576 or smaller. It would also
> have problems running  across multi-level routing hierarchies.

(I'll make the assumption here that PMTU really means PMTU-D in some
cases)

Using the lowest common denominator MTU in the path is exactly the
point, and it's pretty hard to find out what that value is with PMTU-D. 
It *is* used across the internet, and while the MTU usually gets
affected nearer to the edge than the core (PPPoE or other reasons),
various forms of tunneling in the path can drop it below 1500 bytes. 
Also, I'd be interested in hearing any facts you might be able to
present on why it would have any problem running across multi-level
routing hierarchies, as I can't possibly see how the choice of routing
protocol or hierarchy would affect the path MTU in the least.

> No, there is a greater need for ICMP drops, and that is ping attacks.
Still
> happening to some of our customers. No one's going to sit there and filter
> IP blocks. There are currently no viable uses or reasons for pinging into
> private networks, except for possible troubleshooting, in which case the
> admin would be involved.

So, your ACLs can determine whether it's an admin or a user sending
ICMP.  That's an interesting piece of hardware you have there...

And I don't know about everyone else, but if your network were truly
'private', I wouldn't be able to ping into it anyhow.  As soon as you
have users, connect to the internet, and expect to be able to reach the
internet in a mostly unrestricted manner, your network doesn't fit my
definition of 'private'.

--
Nick Bastin
OPNET Technologies