RE: Digital Island sponsors DoS attempt?
Hierarchial routing, not routing protocols: from far-end points to backbone and back out. Different interfaces support different MTU's. In this context, let's say your lowest common denominator starts at (A maximum of) 64000 MTU, from your GBit. Jumbo frames. Somewhere in that range I think. Let's say your pipe to the internet is an OC-3, an edge router. What is that, 9172 MTU? Your MTU has just been sliced and diced and PMTU-D, from it's return "Packet too big" ICMPs has cut it down to size. You basically said it already, and in fact the RFC defines this as well, though does not go into further detail. This is what I think is meant by hierarchial routing. Concerning ACLs, I don't see a problem filtering ICMPs using source and destination addresses. An admin's source and destination address or just his/her source being permitted? I believe there are also methods of filtering ICMP types as well, as defined in RFC1700? Yes Networks are private, and using firewalls help keep them that way. Can you login to a private network? Just because you can ping does not grant you access..And just because they have an internet line does not make them public domain. Marc -----Original Message----- From: Nicholas Bastin [mailto:nbastin@opnet.com] Sent: Friday, October 26, 2001 4:08 PM To: Quibell, Marc Cc: 'Valdis.Kletnieks@vt.edu'; nanog@merit.edu Subject: RE: Digital Island sponsors DoS attempt? On Fri, 2001-10-26 at 14:19, Quibell, Marc wrote:
The answer is yes, that's what I'm saying. PMTU is fine on a LAN that
could
be capable of Jumbo Frames, but is pretty much useless over the WAN or internet since the PMTU has to use the lowest comon denominator MTU in the path. Nobody I know, nor have I ever had a problem with "PMTU" and shutting off ICMP routing. And no I do not believe it is used across the internet, and if it does, it is probably hindering performance since it's probably using a lower mtu than is allowed, such as 576 or smaller. It would also have problems running across multi-level routing hierarchies.
(I'll make the assumption here that PMTU really means PMTU-D in some cases) Using the lowest common denominator MTU in the path is exactly the point, and it's pretty hard to find out what that value is with PMTU-D. It *is* used across the internet, and while the MTU usually gets affected nearer to the edge than the core (PPPoE or other reasons), various forms of tunneling in the path can drop it below 1500 bytes. Also, I'd be interested in hearing any facts you might be able to present on why it would have any problem running across multi-level routing hierarchies, as I can't possibly see how the choice of routing protocol or hierarchy would affect the path MTU in the least.
No, there is a greater need for ICMP drops, and that is ping attacks. Still happening to some of our customers. No one's going to sit there and filter IP blocks. There are currently no viable uses or reasons for pinging into private networks, except for possible troubleshooting, in which case the admin would be involved.
So, your ACLs can determine whether it's an admin or a user sending ICMP. That's an interesting piece of hardware you have there... And I don't know about everyone else, but if your network were truly 'private', I wouldn't be able to ping into it anyhow. As soon as you have users, connect to the internet, and expect to be able to reach the internet in a mostly unrestricted manner, your network doesn't fit my definition of 'private'. -- Nick Bastin OPNET Technologies
participants (1)
-
Quibell, Marc