Subject: Stupid ICMP and fragmentation tricks
To: None <>
From: M Graff <>
List: tech-net
Date: 09/21/1999 01:35:57
It seems people who write firewall rules are idiots these days.  Most
places recommend blocking "all ICMP" -- which breaks M$'s
implementation of Path MTU discovery quite nicely.

Here's the problem.

I have a shark running NetBSD, which has a GRE tunnel to another
NetBSD box at home.  The GRE takes some overhead, of course, so
sometimes packets need to be fragmented.

Since ICMP is blocked, the ICMP "host unreachable, MTU is..." packet
is filtered on the (in this case) remote web server end.  It also
seems that M$ doesn't fall back to a smaller MTU (like we do, right?)
to see if the ICMPs are getting lost or not.

So, what would break if I changed the fragmentation semantics to be
something like:

	if (tcp && dont_fragment_set && must fragment) {
		send ICMP packet
		fragment and send to host anywat
	} else {
		normal behavior here

TCP should deal with duplicate data well enough, and with this hack I
can once again visit places like airline web sites, NASA Goddard, and
PC game publisher's sites.

I know the right thing to do is get them to fix their setup, but so
far out of the 10 sites I contacted via phone to explain the problem,
I got 10 closed minds and "we need to block ICMP, ICMP is bad!"