At 21:37 24/07/02 +1200, Craig Whitmore wrote:
I was wondering what people think about this latest story..
http://www.idg.net.nz/webhome.nsf/UNID/4AA2988B4A1835C5CC256BFF0014A6A8!ope ndocument
(a more technical expanation from Cisco of the problem http://www.cisco.com/warp/public/105/56.html)
I've noticed this problem for ages (for example the ASB's site) when viewing their pages via a GRE tunnel (or the inability to).
Is blocking _all_ ICMP types the wrong thing to do? (in paticular type 3 (unreacable), subtype 4(needs fragmentation) for PMTU Discovery) and basiclly breaking their website for people who have paths who get fragmented TCP/IP Packets)
Thanks Craig Whitmore
I don't know about other people, but the level of ignorance shown by the banks "security specialists" astounds me. "We try to keep entry rules [to the network] as tight as possible to what we specifically want in there on the basis that anything else could be bad. We don't need to support ICMP traffic, therefore it is excluded." Don't need ICMP eh ? Perhaps they havn't read RFC 792: "Occasionally a gateway or destination host will communicate with a source host, for example, to report an error in datagram processing. For such purposes this protocol, the Internet Control Message Protocol (ICMP), is used. ICMP, uses the basic support of IP as if it were a higher level protocol, however, ICMP is actually an integral part of IP, and must be implemented by every IP module." Note the word MUST. Certainly, there are some kinds of ICMP that could/should be blocked for some applications, but blocking all ICMP and therefore breaking PMTU Discovery is just plain ignorant and stupid, especially when its so incredibly easy to avoid, with a single ACL in their firewall/router. (Allow ICMP type 3 code 4) "Woolett says WestpacTrust hasn't heard of any problems along these lines but also says if users are capable of tweaking MTU settings they're probably fixing their own problems." Bollocks. First of all, any customers having that problem contacting their bank about it would likely not encounter any frontline helpdesk staff that would have any clue that the problem they're having is related to PMTU Discovery problems, or even know what PMTU was. They'd probably go through all the standard "Have you rebooted Windows?", "Have you installed the Latest version of Internet Explorer?" stuff, and then conclude that there was some unknown problem with the customers computer and that it needed reinstalling. The so called "security specialists" would probably never hear about 90% of the customers having this problem. The second thing thats bollocks about that statment is the implication that there is a "problem" at the customers end that needs tweaking. Going through a GRE tunnel, or anything else that forces you to use a lower MTU is not a "problem", it is just a situation which the IP protocol is designed to handle as a matter of course. The problem lies at the bank where they are breaking the IP protocol, however much they try to evade the issue. "If someone's done some really crazy tweaking at their end then it could potentially cause an issue." Going through a GRE tunnel is "really crazy tweaking" now is it ? Oh yes of course... I forgot. Anyone that doesn't use the internet for only http and pop3 over a dialup connection is "crazy"...... Hopefully with a bit of bad publicity the self styled "security specialists" might get a kick in the bum to go out and actually read up on ICMP a bit.... </rant> :) Regards, Simon - To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog