The answer is yes, that's what I'm saying. PMTU is fine on a LAN that could be capable of Jumbo Frames, but is pretty much useless over the WAN or internet since the PMTU has to use the lowest comon denominator MTU in the path. Nobody I know, nor have I ever had a problem with "PMTU" and shutting off ICMP routing. And no I do not believe it is used across the internet, and if it does, it is probably hindering performance since it's probably using a lower mtu than is allowed, such as 576 or smaller. It would also have problems running across multi-level routing hierarchies. No, there is a greater need for ICMP drops, and that is ping attacks. Still happening to some of our customers. No one's going to sit there and filter IP blocks. There are currently no viable uses or reasons for pinging into private networks, except for possible troubleshooting, in which case the admin would be involved. Finally, I do not believe PMTU uses pings to discover the PMTU. I believe it uses TCP or UDP packets at the layers above IP, and it DOES use "ICMP Packet Too big" responses (from the receiver) to cut it's packet size. So in reality, a router blocking ICMP from being routed through can still send these ICMP messages PMTU needs. Is this how you understand it? Marc -----Original Message----- From: Valdis.Kletnieks@vt.edu [mailto:Valdis.Kletnieks@vt.edu] Sent: Friday, October 26, 2001 12:22 PM To: Quibell, Marc Cc: nanog@merit.edu Subject: Re: Digital Island sponsors DoS attempt? On Fri, 26 Oct 2001 12:01:38 CDT, "Quibell, Marc" said:
That's all fine Valdis, but no one does MTU check on the internet or pmtu checks. This is all LAN-based...
Umm.. I'm confused. What's all LAN-based? Or you saying that PMTU Discovery isn't used *at all*? Or that it's not *widely* used, mostly because a large chunk of the net *is* stuck at 1500-byte MTUs, and a large fraction of the rest has broken PMTU discovery because of boneheaded ICMP filtering? -- Valdis Kletnieks Operating Systems Analyst Virginia Tech