Re: Problem of blocking ICMP packets

To: Mark Smith <ietf at 130c04165a5b40404e4440445758487a.nosense.org>
Subject: Re: Problem of blocking ICMP packets
From: Masataka Ohta <mohta at necom830.hpcl.titech.ac.jp>
Date: Sun, 09 May 2004 06:43:46 +0900
Cc: Iljitsch van Beijnum <iljitsch at muada.com>, huitema at windows.microsoft.com, ietf at ietf.org
In-reply-to: <20040508104230.7a701b2f.ietf@130c04165a5b40404e4440445758487a.nosense.org>
List-help: <mailto:ietf-request@ietf.org?subject=help>
List-id: IETF-Discussion <ietf.ietf.org>
List-post: <mailto:ietf@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
References: <DAC3FCB50E31C54987CD10797DA511BA08EA129A@WIN-MSG-10.wingroup.windeploy.ntdev.microsoft.com> <EDCBDFEE-A069-11D8-BE01-000A95CD987A@muada.com> <20040508104230.7a701b2f.ietf@130c04165a5b40404e4440445758487a.nosense.org>
Sender: ietf-admin at ietf.org
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 (ax)

Mark Smith;

> > Filtering on protocol/port numbers is a broken concept.

Yes, it is.

However, it is merely as broken as PMTUD that we don't need
security discussion to deny PMTUD.

> I've understood that what you have described is the end-goal
> of end-to-end, opportunistic encryption and authentication ie.
> IPsec.

Back to the original problem, PMTUD depends on the capabilities
of intermediate systems on a path to generate certain ICMP,
generation of which is as complex as fragmentation itself,
that it is not very end to end.

That is, PMTUD is a broken concept.

						Masataka Ohta



_______________________________________________
Ietf mailing list
Ietf at ietf.org
https://www1.ietf.org/mailman/listinfo/ietf

Follow-Ups:
- Re: Problem of blocking ICMP packets
  - From: Matt Mathis
- Re: Problem of blocking ICMP packets
  - From: Mark Smith

References:
- RE: Problem of blocking ICMP packets
  - From: Christian Huitema
- Re: Problem of blocking ICMP packets
  - From: Iljitsch van Beijnum
- Re: Problem of blocking ICMP packets
  - From: Mark Smith

Prev by Date: Re: Firewalling for the new millennium, was: Problem of blocking ICMP packets
Next by Date: Re: Problem of blocking ICMP packets
Previous by thread: Re: Firewalling for the new millennium, was: Problem of blocking ICMP packets
Next by thread: Re: Problem of blocking ICMP packets
Index(es):
- Date
- Thread

Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.

Re: Problem of blocking ICMP packets

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.