tech-net: Re: SOLVED! The cause of puzzling TCP (eg. WHOIS) connection failures with some InterNIC.net hosts

Subject: Re: SOLVED! The cause of puzzling TCP (eg. WHOIS) connection failures with some InterNIC.net hosts
To: None <tech-net@netbsd.org>
From: Michael C. Richardson <mcr@sandelman.ottawa.on.ca>
List: tech-net
Date: 11/22/1998 15:08:54

>>>>> "Perry" == Perry E Metzger <perry@piermont.com> writes:
    Perry> You could also use simulated packet generation techniques to
    Perry> eliminate such covert channels. If you know what the path MTU
    Perry> actually is, the firewall can generate the ICMPs on behalf of the
    Perry> interior systems, or can block ICMPs that lie about the path MTU,
    Perry> both to prevent covert channels. In any case, nothing is gained by
    Perry> *not sending the messages at all*.

  Agreed. Further, the firewall benefits by making the TCP MSS match the
Path MTU: it doesn't have to do as much fragment reassembly.

   :!mcr!:            |  Network and security consulting/contract programming
   Michael Richardson |         Firewalls, TCP/IP and Unix administration
 Personal: http://www.sandelman.ottawa.on.ca/People/Michael_Richardson/Bio.html
 Corporate: http://www.sandelman.ottawa.on.ca/SSW/
	ON HUMILITY: To err is human, to moo bovine.