der Mouse writes:
> I see Perry as saying that there is absolutely no legitimate reason to
> configure F to drop those ICMP packets.  (Perry, is this a correct
> description of your claim?)

Yup.

> I think I agree.  The only case I can think of where blocking those
> things might be valuable is when you cannot afford any covert channel
> from inside to outside; need-frag ICMP packets can form as good a
> covert channel as any.  However, if you have occasion to be that
> paranoid about covert channels, you've got plenty worse problems than
> need-frag ICMP. :-)

You could also use simulated packet generation techniques to eliminate
such covert channels. If you know what the path MTU actually is, the
firewall can generate the ICMPs on behalf of the interior systems, or
can block ICMPs that lie about the path MTU, both to prevent covert
channels. In any case, nothing is gained by *not sending the messages
at all*.

Perry