[NANOG] Microsoft.com PMTUD black hole?
Tomas L. Byrnes
tomb at byrneit.net
Wed May 7 20:42:15 UTC 2008
The remedy you have below is NOT the only one, and is, in fact, a
non-sequitur in this case.
PMTUD uses the DF (for Don't_Fragment) bit, and works by getting an ICMP
Fragmentation needed response from the hop on the path where the packet
is too large, not a fragmentation and forward, so the union of PMTUD
packets and fragmented ones is 0.
The network-level solution to ping of death is to BLOCK fragmented
packets, and the way to ensure this doesn't self-deny-service is to
perform PMTUD and Black-Hole Router discovery.
> -----Original Message-----
> From: Iljitsch van Beijnum [mailto:iljitsch at muada.com]
> Sent: Wednesday, May 07, 2008 1:35 PM
> To: Michael Sinatra
> Cc: nanog at merit.edu
> Subject: Re: [NANOG] Microsoft.com PMTUD black hole?
>
> On 7 mei 2008, at 21:46, Michael Sinatra wrote:
>
> >> MS does in fact block _all_ ICMP
> >> at the edge of their network, that they are aware that
> this will in
> >> fact break PMTUD, and that they have no current plans to
> change this
> >> practice which they have implemented in the interest of security.
>
> > Perhaps
> > they should also block _all_ TCP and UDP as well, and then
> we can move
> > on.
>
> > I agree with Iljitsch that it happens frequently, but I think I am
> > justified in expecting more than that from Microsoft.
> Anything less
> > would be unprofessional.
>
> Right.
>
> Now Microsoft is also the company that built the OS that
> could be crashed by a maliciously crafted fragmented IP
> packet, so maybe there's something to this security policy.
> (One hopes that this bug and others like it are now fixed.)
>
> However, in that case the only workable course of action
> would be TO DISABLE PATH MTU DISCOVERY!
>
> You can't have your cake and eat it too.
>
> _______________________________________________
> NANOG mailing list
> NANOG at nanog.org
> http://mailman.nanog.org/mailman/listinfo/nanog
>
More information about the NANOG
mailing list