-----Original Message----- From: Owen DeLong Sent: Thursday, February 16, 2012 8:48 PM To: Masataka Ohta Cc: nanog@nanog.org Subject: Re: Common operational misconceptions
On Feb 16, 2012, at 5:11 PM, Masataka Ohta wrote:
Andreas Echavez wrote:
*Why disabling ICMP doesn't increase security and only hurts the web* *(path MTU discovery, diagnostics)
That PMTUD works is a misconception.
It actually works where people have not made active efforts to break it.
Modern (RFC 4821) PMTUD that is used by default by Solaris and Microsoft does not require ICMP and works well. For Linux you have to enable it: /proc/sys/net/ipv4/tcp_mtu_probing = 1 or 2 (I believe the default is still 0 which means it relies on ICMP for PMTUD by default and you must turn on RFC 4821 PMTUD). If you're relying on ICMP for PMTUD, still, then yeah, you probably run into problems from time to time but fewer stacks use that method of PMTUD these days.