At 21:37 24/07/02 +1200, Craig Whitmore wrote:
(a more technical expanation from Cisco of the problem
I've noticed this problem for ages (for example the ASB's site) when
their pages via a GRE tunnel (or the
Is blocking _all_ ICMP types the wrong thing to do? (in paticular type 3
(unreacable), subtype 4(needs fragmentation)
for PMTU Discovery) and basiclly breaking their website
for people who
have paths who get fragmented TCP/IP Packets)
I don't know about other people, but the level of ignorance shown by the
banks "security specialists" astounds me.
"We try to keep entry rules [to the network] as tight as possible to what
we specifically want in there on the basis that anything else could be bad.
We don't need to support ICMP traffic, therefore it is excluded."
Don't need ICMP eh ? Perhaps they havn't read RFC 792:
gateway or destination host will communicate with a source host, for
example, to report an error in datagram processing. For such
purposes this protocol, the Internet Control Message Protocol (ICMP),
is used. ICMP, uses the basic support of IP as if it were a higher
level protocol, however, ICMP is actually an integral part of IP, and
must be implemented by every IP module."
Note the word MUST.
Certainly, there are some kinds of ICMP that could/should be blocked for
some applications, but blocking all ICMP and therefore breaking PMTU
Discovery is just plain ignorant and stupid, especially when its so
incredibly easy to avoid, with a single ACL in their firewall/router.
(Allow ICMP type 3 code 4)
"Woolett says WestpacTrust hasn't heard of any problems along these lines
but also says if users are capable of tweaking MTU settings they're
probably fixing their own problems."
Bollocks. First of all, any customers having that problem contacting their
bank about it would likely not encounter any frontline helpdesk staff that
would have any clue that the problem they're having is related to PMTU
Discovery problems, or even know what PMTU was.
They'd probably go through all the standard "Have you rebooted Windows?",
"Have you installed the Latest version of Internet Explorer?" stuff, and
then conclude that there was some unknown problem with the customers
computer and that it needed reinstalling. The so called "security
specialists" would probably never hear about 90% of the customers having
The second thing thats bollocks about that statment is the implication that
there is a "problem" at the customers end that needs tweaking. Going
through a GRE tunnel, or anything else that forces you to use a lower MTU
is not a "problem", it is just a situation which the IP protocol is
designed to handle as a matter of course. The problem lies at the bank
where they are breaking the IP protocol, however much they try to evade the
"If someone's done some really crazy tweaking at their end then it could
potentially cause an issue."
Going through a GRE tunnel is "really crazy tweaking" now is it ? Oh yes of
course... I forgot. Anyone that doesn't use the internet for only http and
pop3 over a dialup connection is "crazy"......
Hopefully with a bit of bad publicity the self styled "security
specialists" might get a kick in the bum to go out and actually read up on
ICMP a bit....
To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz
where the body of your message reads: