19 May
2017
19 May
'17
1:35 a.m.
On Thu, 18 May 2017, Brian Kantor wrote:
(Please trim inclusions from previous messages)
_______________________________________________
On Thu, May 18, 2017 at 10:08:09AM -0400, Craig Brauckmiller wrote:
In addition to being an useful troubleshooting tool, ICMP packets are used
for Path MTU Discovery (PMTUd), which is pretty good and essential
Internet functionality when you have smaller MTUs involved. And, with our
IPIP tunnels, we have just that! The encapsulation causes our link MTU to
be smaller than the standard ethernet 1500 bytes.
https://en.wikipedia.org/wiki/Path_MTU_Discovery
"Many network security devices block all ICMP messages for perceived
security benefits, including the errors that are necessary for the
proper operation of PMTUD. This can result in connections that complete
the TCP three-way handshake correctly, but then hang when data is
transferred. This state is referred to as a black hole connection."
So, please do not block all of ICMP; ICMP Unreachable messages (type 3)
should be permitted, especially on a network like ours.
- Hessu
Nope, that's my firewall dropping that. I
don't allow ICMP to hit the
96.86.86.53 address.
Then you have cut your own throat by disabling one of the internet's
primary troubleshooting tools.