tech-net: Re: SOLVED! The cause of puzzling TCP (eg. WHOIS) connection failures with some InterNIC.net hosts

Subject: Re: SOLVED! The cause of puzzling TCP (eg. WHOIS) connection failures with some InterNIC.net hosts
To: Henry Miller <hank@black-hole.com>
From: Perry E. Metzger <perry@piermont.com>
List: tech-net
Date: 11/22/1998 10:22:00

Henry Miller writes:
> On Sat, 21 Nov 1998, Greg A. Woods wrote:
> > > Ah, but I think people have to fix the firewalls. Lots and lots of
> > > machines are doing PMTU discovery. If you filter all ICMP, well, lots
> > > of connections to you are going to lose, not just ours if you have
> > > PMTU on.
> > Sure, people *should* fix their firewalls.  Commercial firewalls
> > probably shouldn't allow such stupid rules to be imposed in the first
> > place.
> 
> No, there are valid reasons to disable ICMP.

There is no valid reason to disable receipt of the particular ICMP
messages in question. None. Zero. Zip. In general, disabling ICMP is
actually quite a bad idea, but if we just restrict it to the question
of the messages associated with Path MTU discovery, there is *no*
valid security concern being addressed by blocking those messages.

If you can name one, I'd like to hear it. Remember, I'm talking about
only the messages associated with Path MTU, not any other ICMP messages.

Perry