Subject: Re: DF strikes again
To: Rob Quinn <>
From: Bill Sommerfeld <>
List: current-users
Date: 03/15/2001 14:28:58
> > So, the trick is to find the RFC #, and contact the owner of the
> > firewall and scream that they are "not RFC-mumble compliant!!!" :-)
>  Good luck. I often refer admins to

ok, quoting chapter and verse:

RFC2979, "Behavior of and requirements for Internet Firewalls"

   The introduction of a firewall and any associated tunneling or
   access negotiation facilities MUST NOT cause unintended failures
   of legitimate and standards-compliant usage that would work were
   the firewall not present.


   By the transparency rule, a packet-filtering router acting as a
   firewall which permits outgoing IP packets with the Don't Fragment
   (DF) bit set MUST NOT block incoming ICMP Destination Unreachable /
   Fragmentation Needed errors sent in response to the outbound packets
   from reaching hosts inside the firewall, as this would break the
   standards-compliant usage of Path MTU discovery by hosts generating
   legitimate traffic.

   On the other hand, it's proper (albeit unfriendly) to block ICMP Echo
   and Echo Reply messages, since these form a different use of the
   network, or to block ICMP Redirect messages entirely, or to block
   ICMP DU/FN messages which were not sent in response to legitimate
   outbound traffic.

Note that there's a lot of room for flexibility here.. folks with ICMP
phobias can always turn off path mtu discovery on the nodes
"protected" by the firewall..

						- Bill