Re: [OPSEC] [NANOG] Microsoft.com PMTUD black hole?
"Smith, Donald" <Donald.Smith@qwest.com> Thu, 08 May 2008 17:20 UTC
Return-Path: <opsec-bounces@ietf.org>
X-Original-To: opsec-archive@optimus.ietf.org
Delivered-To: ietfarch-opsec-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1526828C14E; Thu, 8 May 2008 10:20:21 -0700 (PDT)
X-Original-To: opsec@core3.amsl.com
Delivered-To: opsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 20F493A6991 for <opsec@core3.amsl.com>; Thu, 8 May 2008 10:20:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.299
X-Spam-Level:
X-Spam-Status: No, score=-2.299 tagged_above=-999 required=5 tests=[AWL=0.300, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ix6r-CJHVMFt for <opsec@core3.amsl.com>; Thu, 8 May 2008 10:20:18 -0700 (PDT)
Received: from suomp64i.qwest.com (suomp64i.qwest.com [155.70.16.237]) by core3.amsl.com (Postfix) with ESMTP id 7841C28C221 for <opsec@ietf.org>; Thu, 8 May 2008 10:20:14 -0700 (PDT)
Received: from suomp60i.qintra.com (suomp60i.qintra.com [151.117.69.27]) by suomp64i.qwest.com (8.14.0/8.14.0) with ESMTP id m48HJmMB024575; Thu, 8 May 2008 12:19:49 -0500 (CDT)
Received: from ITDENE2KSM01.AD.QINTRA.COM (localhost [127.0.0.1]) by suomp60i.qintra.com (8.14.0/8.14.0) with ESMTP id m48HJgO2027388; Thu, 8 May 2008 12:19:43 -0500 (CDT)
Received: from ITDENE2KM02.AD.QINTRA.COM ([10.1.4.66]) by ITDENE2KSM01.AD.QINTRA.COM with Microsoft SMTPSVC(6.0.3790.1830); Thu, 8 May 2008 11:19:43 -0600
X-MessageTextProcessor: DisclaimIt (2.70.270) [Qwest Communications International Inc.]
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2992
Content-Class: urn:content-classes:message
MIME-Version: 1.0
Date: Thu, 08 May 2008 11:19:41 -0600
Message-ID: <A15EF332BA1FE04888F87DFEC06629F004B393A6@ITDENE2KM02.AD.QINTRA.COM>
In-Reply-To: <1A7291F3-532F-4596-8E25-0082DC9A9660@muada.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [OPSEC] [NANOG] Microsoft.com PMTUD black hole?
thread-index: AcixKDXGfWSqrylQT+KpKsdnxwek4QABl3nw
Importance: normal
Priority: normal
References: <200805062253.m46MrwS1025720@mail.r-bonomi.com> <4821020A.7050003@fsr.com><20080507134507.GA23142@gsp.org> <48220209.8000407@fsr.com><482206FE.3030000@rancid.berkeley.edu> <6536F6AA-0810-4255-8116-510FBB9D24A4@muada.com><87iqxp2scc.fsf@obelix.mork.no> <4822B173.3070001@bogus.com> <1A7291F3-532F-4596-8E25-0082DC9A9660@muada.com>
From: "Smith, Donald" <Donald.Smith@qwest.com>
To: Iljitsch van Beijnum <iljitsch@muada.com>, Joel Jaeggli <joelja@bogus.com>
X-OriginalArrivalTime: 08 May 2008 17:19:43.0336 (UTC) FILETIME=[B4B46680:01C8B12F]
Cc: guillermo@gont.com.ar, opsec@ietf.org, NANOG list <nanog@merit.edu>
Subject: Re: [OPSEC] [NANOG] Microsoft.com PMTUD black hole?
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/opsec>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: opsec-bounces@ietf.org
Errors-To: opsec-bounces@ietf.org
A few comments on your comments below.
RM=for(1)
{manage_risk(identify_risk(product[i++]) &&
(identify_threat[product[i++]))}
Donald.Smith@qwest.com giac
> -----Original Message-----
> From: opsec-bounces@ietf.org [mailto:opsec-bounces@ietf.org]
> On Behalf Of Iljitsch van Beijnum
> Sent: Thursday, May 08, 2008 3:24 AM
> To: Joel Jaeggli
> Cc: guillermo@gont.com.ar; opsec@ietf.org; NANOG list
> Subject: Re: [OPSEC] [NANOG] Microsoft.com PMTUD black hole?
>
> On 8 mei 2008, at 9:53, Joel Jaeggli wrote:
>
> > Oddly enough there is a draft on the subject of icmp filtering
> > recomendations is making the rounds.
>
> >
> http://tools.ietf.org/wg/opsec/draft-gont-opsec-icmp-filtering-00.txt
>
> > The opsec working group (opsec@ietf.org) and the authors would
> > appreciate feedback from operators on the subject.
>
> Speaking as someone who isn't interested in reading an
> explanation of
> what happens when the message is filtered for every ICMP
> message known
> to man, I find this a completely useless document: I can't find the
> recommendations. Either they're there but impossible to find by
> looking at the table of contents or searching for "recommend", or
> they're not there in which case the title is EXTREMELY misleading.
I believe a table of what to filter where was recommended.
I hope that table includes filtering and ratelimiting from, through, and
to.
However blindly accepting recommendations without understanding the
possibly ramifications
such filtering can have on your network is not wise.
>
> Also:
>
> 2.1.1.5.4. Operational/interoperability impact if blocked Filtering
> this error message breaks the Path-MTU Discovery mechansim described
> in [RFC1191].
>
> This is completely insufficient because it doesn't mention
> that 99% of
> all TCP traffic on today's internet uses PMTUD and filtering these
> messages leads to broken connectivity towards destinations that have
> an MTU lower than the source (lower than 1500 in practice).
I suspect your statistics. I don't believe the number is anywhere near
99% but haven't seen a study that would support any actual % numbers of
traffic that relies on PMTUD. If your aware of such a study/research I
would be interested in reviewing the results.
Again filtering THROUGH a device is probably not advisable filtering TO
your device might be advisable.
>
> Please spell check and five levels of numbering is considered
> bad style.
> _______________________________________________
> OPSEC mailing list
> OPSEC@ietf.org
> https://www.ietf.org/mailman/listinfo/opsec
>
This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly
prohibited and may be unlawful. If you have received this communication
in error, please immediately notify the sender by reply e-mail and destroy
all copies of the communication and any attachments.
_______________________________________________
OPSEC mailing list
OPSEC@ietf.org
https://www.ietf.org/mailman/listinfo/opsec
- Re: [OPSEC] [NANOG] Microsoft.com PMTUD black hol… Iljitsch van Beijnum
- Re: [OPSEC] [NANOG] Microsoft.com PMTUD black hol… Smith, Donald