[NANOG] Microsoft.com PMTUD black hole?
Hank Nussbacher
hank at efes.iucc.ac.il
Thu May 8 21:10:12 UTC 2008
On Wed, 7 May 2008, Michael Sinatra wrote:
> Nathan Anderson/FSR wrote:
>> Here is a brief update on the situation:
>>
>> I have been in contact with someone at Microsoft's service operations
>> center, who has confirmed for me that MS does in fact block _all_ ICMP
>> at the edge of their network, that they are aware that this will in fact
>> break PMTUD, and that they have no current plans to change this practice
>> which they have implemented in the interest of security.
>
> Although the need for your previous apology has already been questioned
> in this forum, the confirmation that they block not only certain ICMP
> types, but all ICMP, further vacates the need for any apology for
> criticizing this behavior in a pubic forum. It is disheartening for
> those of us who use and support MSFT's products to learn that their
> understanding of security lacks even the basic nuance to know not to
> block an entire--critical--portion of the Internet Protocol. Perhaps
> they should also block _all_ TCP and UDP as well, and then we can move on.
>
> I agree with Iljitsch that it happens frequently, but I think I am
> justified in expecting more than that from Microsoft. Anything less
> would be unprofessional.
I wonder if MS knows about:
ICMP Packet Filtering v1.2 from 2003:
http://www.cymru.com/Documents/icmp-messages.html
Only been around 5 years or so. Hopefully MS people reading this email
will take note, read the entire page and implement what everyone else has
been doing for a number of years.
-Hank
More information about the NANOG
mailing list