Subject: Re: [44net] ICMP: A small request From: "Marc, LX1DUC" lx1duc@laru.lu Date: 02/19/2016 06:37 PM
To: AMPRNet working group 44net@hamradio.ucsd.edu
Especially as we are all running tunnels, you (well your systems) really want to receive ICMP 3:4 (Fragmentation required, and DF flag set) messages.
The "Ping of death" is not an issue anymore, and ICMP Flooding isn't really frequent anymore either. Nowadays neither of both require rejecting all kind of ICMP messages. Usually a fair rate limiting in the INPUT chain does the trick.
73 de Marc, LX1UDC
Unfortunately people like Steve Gibson have done a lot of damage by misinformation - likely more than the damage ever caused by replying to a PING.
It is still hard to convince some people they should not block all ICMP. At work I am currently trying to solve a problem caused by dropping the above ICMP packet combined with the "blackhole detect" misfeature that means the connection is not just completely breaking down (and the bad firewall operator noticing his mistake), but becoming much slower. As bad as a site that has IPv6 in DNS but not actually working...
Rob
A site with IPv6 DNS is no worse than a person in the telephone directory who isn't home when you want to call.
The network stacks should be smart enough to try other means (e.g., IPv4) when possible.
While it would be *nice* if directories like DNS were totally up to date, it's not unusual for them to have old (or optimistic?) data in them.
- Richard, VE7CVS
On 2/19/16 12:30 PM, Rob Janssen wrote:
As bad as a site that has IPv6 in DNS but not actually working...
Rob
-
Richard Chycoski -
Rob Janssen