Re: UDP dont fragment bit

From: Dave+Seddon (dave-sender-1932b5_at_seddon.ca)
Date: 09/22/05

  • Next message: Pawel Worach: "Re: [panic] page fault in tcp_timer_2msl_tw" 
    To: Sten Daniel Sørsdal <lists@wm-access.no>
Date: Thu, 22 Sep 2005 09:46:50 +1000

    Greeting Sten,

    I'm a little worried about a couple of the things you've said:

    1. "It is more common to block icmp messages about reassembly problems than
    DF problems IF a message is generated in the first place."

    I think that's crap. Most firewalls DO correctly and statefully accept the
    ICMP messages for existing sockets. ipf and pf do, but I'm not sure about
    IPFW2, but I'd be surprised if it didn't. I'd also be surprised if iptables
    in linux land didn't track the ICMP. Most commercial firewalls, like
    Netscreen, Checkpoint, PIX, all do also.

    2. "Consider a client connected to an isp's network(1). The isp drops all
    ICMP packets. That network is then connected to a third network(2) which
    has a data path that has an MTU of 1400 bytes but also mangles tcp mss
    to 1360, udp packets must get fragmented. On server size the firewall
    must reassemble all udp fragments before passing them on to server."

    If your ISP doesn't understand the importance of ICMP and they just drop it,
    change ISPs. ICMP is critical to efficient TCP, and your whole thread is
    about getting that ability for UDP. If you ISP does drop ICMP then the
    don't defragment option will just result in packets disappearing anyway.

    Regards,
    Dave Seddon
    _______________________________________________
    freebsd-net@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-net
    To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"

  • Next message: Pawel Worach: "Re: [panic] page fault in tcp_timer_2msl_tw"

    Relevant Pages

    • Re: Removing ping/icmp from a network
      ... "Many "security" devices incorrectly block all ICMP messages, including the errors that are necessary for PMTUD to work. ... Some implementations of PMTUD now try to work around this by inferring that large payload packets have been dropped due to MTU rather than because of link congestion. ...
      (Security-Basics)
    • Re: IPFW and icmp
      ... >> I'm not a master of the internet RFCs, but I do believe icmp messages have ... >> A dynamic rule that exists only for the duration of a traceroute execution ... instead of simply bringing down the packet rate. ...
      (FreeBSD-Security)
    • Re: forwarding outgoing packets
      ... > I have a linux machine on which a software sends packet to an address,is ... REDIRECT target. ... you would send back icmp messages with the -j REJECT and ...
      (comp.os.linux.networking)
    • Re: Domain connections to blackhole-1.iana.org?
      ... >Recently my firewall has been catching ICMP and attempts by ... Those are reverse DNS lookups for private IP addresses leaking to the ... Internet from your internal network. ... For the ICMP messages, I cannot tell without knowing their type. ...
      (comp.security.firewalls)
    • Re: Knowing latency without ICMP?
      ... >> like a regular ICMP ping would? ... >> latency to my ISP users, because they also would be the main target. ... > Does your ISP block UDP packets as well? ...
      (comp.os.linux.networking)