[NANOG] Microsoft.com PMTUD black hole?
Deepak Jain
deepak at ai.net
Wed May 7 22:07:06 UTC 2008
Nathan Anderson/FSR wrote:
> Nevertheless, the person I have been in contact with is naturally not
> the final decision-maker on this issue and is going to continue to pass
> the issue on up the chain of command for me. So although this issue is
> not over and I do not have a final verdict from MS yet, I felt that,
> given that I don't know how much time to expect to pass between now and
> when that final verdict is rendered, it would be appropriate to let
> everybody here know what I have learned thus far. Hopefully public
> dissemination of this information factoid will prevent others in a
> position similar to mine from having to helplessly beat their heads into
> their keyboards.
Let's also not ignore the generally overworked IT administrator at any
small or medium sized enterprise. He/she may not be (as many folks I've
run into are) of the mistaken impression that ICMP *is* bad and leaves
you vulnerable to all sorts of things like SMURF. There are even tools
out there that "test" your vulnerability by "pinging" you and do other
investigations.
I know of a tool that a major financial institution uses when certifying
your networks security -- that scrapes the version number from your
ESTMP banner to decide whether you comply or not (and other banners).
(Rather than actually testing for a specific vulnerability). Simply
blocking all of these packets from their test host gives you a high
passing score; possibly a perfect one. [Irony and humor aside...]
Many non-SP IT folks think they understand TCP, grudgingly accept UDP
for DNS from external sources and think everything else is bollocks.
Many *might* have a fit if they saw Microsoft accepting ICMPs because
that seems inconsistent with their knowledge of turn-the-knob network
security. To their view, their Linksys/Netgear/whathaveyou COTS
firewalls block everything too.
I don't think I'm exaggerating here.
Just a thought, not saying its a good one or whose fault it is...
Deepak Jain
AiNET
More information about the NANOG
mailing list