[c-nsp] What MTU for Bellsouth BBG / BRAS <-> LNS l2TP tunnel ?

Brian Feeny signal at shreve.net
Tue Nov 2 18:33:13 EST 2004 

Do you have a problem with ICMP type 3 messages though? Specifically  
Type 3 Code 4 (Fragmentation Needed & DF set)?

Those are usually sent in response to TCP (legitimate or otherwise) and  
really only tell you about link MTU, which isn't
super top secret anyways and really a necessity for proper  
communications.

I don't think its good for admins to use the sledge hammer approach and  
deny all ICMP is all.

Brian

On Nov 2, 2004, at 3:32 PM, Hudson Delbert J Contr 61 CS/SCBN wrote:

> okay,,,,
>
> here is why i have come to hate icmp.
>
> the ICMP/Packet Internet Groper program or ping sends out ICMP Echo  
> Request
> type=8 packets, and waits for an ICMP Echo Reply type=0 replies.
>
> If the distant end is up, has an IP stack, and is not behind a device
> blocking ICMP echoes (a firewall),
> the echo reply will be received by your stack and presented to ping.  
> so as
> one can see it indicates that
> thate theremote system is up and reachable.
>
> to prevent scan many firewalls block both outbound request and inbound
> replies.
>
> another goof ball fingerprinting techniques involves using ICMP  
> timestamp
> replies but only from most Unix systems because
> M$ stacks dont implement this functionality, we know is not a winbloze  
> box
> we are hitting.
>
> address mask Re-quests (type 16) should only be answered by routers and
> should not cross AS boundaries.
>
> source quench and Redirects adjust routing tables and as such should  
> also
> never pass a firewall as they can be used to seed DoS and other blends.
>
> time exceeded (type 11, code 0) messages can be used to map networks.
>
> IP headers include a Time-To-Live (TTL) value that gets decremented  
> each
> time the IP packet passes through an IP layer.
>
> TTL prevents packets from looping forever.
>
> imho, icmp is evil as it supplies so much info to the sender that they
> really dont need to see.
>
> ~piranha
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net]On Behalf Of Gert Doering
> Sent: Monday, November 01, 2004 11:28 PM
> To: Randy Bush
> Cc: Phillip Vandry; cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] What MTU for Bellsouth BBG / BRAS <-> LNS l2TP
> tunnel?
>
>
> Hi,
>
> On Mon, Nov 01, 2004 at 10:25:00PM -0800, Randy Bush wrote:
>>>> amazon is about as stupid about networking as the moslem world is
>>>> about the current us government.  if they're doing something,
>>>> there's a reason.  we can try to understand how this might not work
> [..]
>> vendor bug, as guessed in the part of my reply you omitted.
>> been known for a while.  being worked.  there is hope.
>
> Thanks.  I take back my comments about cluelessness and apologize.
>
> (It's just so frustrating to talk to firewall admins day after day, and
> the thing they are all insisting on is that "ICMP IS EVIL"...)
>
> gert
> --  
> USENET is *not* the non-clickable part of WWW!
>
> //www.muc.de/~gert/
> Gert Doering - Munich, Germany
> gert at greenie.muc.de
> fax: +49-89-35655025
> gert at net.informatik.tu-muenchen.de
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
------------------------------------------------------------------------ 
------
Brian Feeny, CCIE #8036, CISSP    	e: signal at shreve.net
Network Engineer           			p: 318.213.4709
ShreveNet Inc.             			f: 318.221.6612

-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 186 bytes
Desc: This is a digitally signed message part
Url : https://puck.nether.net/pipermail/cisco-nsp/attachments/20041102/08e57dd2/PGP.bin

More information about the cisco-nsp mailing list