> There is no valid reason to disable receipt of the particular ICMP
> messages in question.  [...]  If you can name one, I'd like to hear
> it.  Remember, I'm talking about only the messages associated with
> Path MTU, not any other ICMP messages.

It's not a question of blocking *receipt* of those packets, but
blocking *transmission* of them.  Remember, we have host A, trying to
do PMTU-D, to host B.  But between A and B we have two boxen: a
firewall F and a router R, in that order.  F lets A's packets through
but blocks the need-frag ICMP packets from R to A.  The outgoing link
from R in the direction of B has a small MTU.

Then PTMU-D sees a black hole (and if A's PMTU-D does black hole
avoidance, it should deal - but that's not the issue under discussion
in this message).

I see Perry as saying that there is absolutely no legitimate reason to
configure F to drop those ICMP packets.  (Perry, is this a correct
description of your claim?)

I think I agree.  The only case I can think of where blocking those
things might be valuable is when you cannot afford any covert channel
from inside to outside; need-frag ICMP packets can form as good a
covert channel as any.  However, if you have occasion to be that
paranoid about covert channels, you've got plenty worse problems than
need-frag ICMP. :-)

					der Mouse

			       mouse@rodents.montreal.qc.ca
		     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B