job screening question

Leo Bicknell bicknell at
Thu Jul 5 17:16:56 UTC 2012

In a message written on Thu, Jul 05, 2012 at 01:02:08PM -0400, William Herrin wrote:
> You implement a firewall on which you block all ICMP packets. What
> part of the TCP protocol (not IP in general, TCP specifically)
> malfunctions as a result?
> My questions for you are:
> 1. As an expert who follows NANOG, do you know the answer? Or is this
> question too hard?

I suspect you're looking for Path MTU Discovery as an answer.

> 2. Is the question too vague? Is there a clearer way to word it?

I believe if you understand ICMP, it could be considered to be

For instance, blocking all ICMP means that if the network breaks
during communication and a Host/Net unreachable is generated the
connection will have to go through a timeout rather than an immeidate
tear down.  Similarly, blocking ICMP source quench might break
throttling in the 3 TCP implementations in the world that do that.

> 3. Is there a better screening question I could pass to HR to ask and
> check the candidate's response against the supplied answer?

"A firewall is configured to block all ICMP packets and a system
 administrator reports problems with TCP connections not transferring
 data.  What is the most likely cause?"

ICMP Packet-Too-Big being dropped and breaking PMTU discovery is
the correct answer.

When I study for my CCIE Recert every 2 years I find myself relearning
"The Cisco Answer", rather than the right answer.  It's not that the
Cisco answers are often wrong per-se, but they teach the most likely
causes of things and want them back as the right answer.  Cribbing
from their test materials and study guides puts the questions in familar
terms that your candidates are likely to have seen, making them less
likely to be thrown off by the question.

Unless you want to throw them off.  Depends on the level of folks you
want to hire.  I would answer your question with "I would never
implement a firewall that breaks all TCP." :)

       Leo Bicknell - bicknell at - CCIE 3440
        PGP keys at
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 826 bytes
Desc: not available
URL: <>

More information about the NANOG mailing list