G root servers unreachable via ICMP(v6)

• Previous message (by thread): G root servers unreachable via ICMP(v6)
• Next message (by thread): G root servers unreachable via ICMP(v6)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, May 16, 2023 at 1:38 PM Christopher Morrow
<morrowc.lists at gmail.com> wrote:
> On Tue, May 16, 2023 at 2:35 PM William Herrin <bill at herrin.us> wrote:
> > Ping is used by some versions of traceroute which can help the
>
> I think you mean 'icmp' here. yes. I contend that traceroute (udp or
> icmp or tcp)
> TOWARDS a destination can be sometimes useful, sure.

I mean ICMP echo-request, colloquially "ping." Traceroute using ICMP
needs the echo-reply from the destination to know that the trace
reached the destination, just like it needs port unreachable for UDP
and RST/SNYACK for TCP.


> > When working, it also lets the diagnostician know that the site's
> > firewall administrator didn't ignorantly decide to block all ICMP.
> > Which so very many ignorant firewall administrators do.
>
> sure, but... 'ignorantly' seems to imply that their ideas of their best
> practice(s) are different from yours. They may have a valid reason
> to block icmp, even all icmp.

Since that breaks PMTUD on a public-facing service, I'm entirely
satisfied with my description of it being ignorant. There is, quite
simply, no valid reason to broadly block ICMP type 3 (destination
unreachable) messages to and from any public facing service. Not ever.

Regards,
Bill Herrin

-- 
William Herrin
bill at herrin.us
https://bill.herrin.us/

• Previous message (by thread): G root servers unreachable via ICMP(v6)
• Next message (by thread): G root servers unreachable via ICMP(v6)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]