On 11 Mar 2016, at 11:40, Robert Meyer r.meyer@net-wizard.org wrote:
Hi,
Furthermore ICMP is _mandatory_ for MTU path discovery to work. So be ready for all kind of non functioning stuff if you transfer larger packets than the MTU somewhere in the middle (such as trying to squeeze a 1500 byte ethernet packet into a IPSec tunnel with a MTU around 1426). TCP/IP is built in the way that it reacts on these ICMP MTU mismatch messages when packets get dropped on the way due to too big size. TCP can adapt but if ICMP is filtered away, then TCP will not notice and a endless retransmission dance begins. The odd thing there is that it "kinda works". Sometimes its just slow and sometimes nothing works. We use IPSec in our network heavily and we have seen that happening with large corporations such as Networksolutions.com (which is one of the oldest companies in the internet, they should know this stuff!). T1his can be a big issue. So if I ever find a consultant telling me I should filter away ICMP just because, I will kick him out of the door immediately. The on
ly reason where this could be valid is if you still have Windows95 machines in your network due to the "ping-of-death" bug. But if you have that, then you're hopelessly lost anyway.
This is basically only true for ipv6. In ipv4 network devices can fragment. This does not mean, that I would consider filtering icmp a reasonable idea.
they COULD fragment but 99% of the routers do drop and send back a ICMP back
Let's face it. Firewalls and NAT have been built to break the internet in the way it has been intended with all kinds of strange side effects. Thinking they are the only defence to protect you is so wrong. Social engineering brings hackers behind firewalls and they attack from with inside. A well secured localhost is way more important. I'm using machines on public IP's without firewall or NAT in between over 20 years and the issues I've seen have all been controllable (but I'm not an interesting target to hack like a Bank). On the other hand NAT & Firewalls (and their admins) have turned out to be a way bigger problem.
NAT and Firewalls are not the biggest problem, but there is just too many people around configuring these devices with a limitted understanding, of how the internet works.
I can only confirm that..