I actually thought about that being a problem, only if you block ALL ICMP messages. Any router beyond the blocking one will break PMTU discovery, so yeah you're right. One could always deny specific ICMP types.... Marc -----Original Message----- From: Bob K [mailto:melange@yip.org] Sent: Friday, October 26, 2001 1:45 PM To: Quibell, Marc Cc: nanog@merit.edu Subject: RE: Digital Island sponsors DoS attempt? On Fri, 26 Oct 2001, Quibell, Marc wrote:
Finally, I do not believe PMTU uses pings to discover the PMTU. I believe it uses TCP or UDP packets at the layers above IP, and it DOES use "ICMP Packet Too big" responses (from the receiver) to cut it's packet size. So in reality, a router blocking ICMP from being routed through can still send these ICMP messages PMTU needs. Is this how you understand it?
Don't forget that routers or hosts beyond (from the point of view of the host attempting PMTU) your ICMP-blocking router may have smaller MTUs than the norm and may be trying to send ICMP errors back... -- Bob <melange@yip.org> | We're all wrong.