Yes. blocking all ICMP breaks things ( The ASB's Web Site is a good example that breaks through GRE Tunnels because of MTU Discovery not working right) Thanks Craig Whitmore Orcon Internet http://www.orcon.net.nz ----- Original Message ----- From: "Don Stokes" <don(a)daedalus.co.nz> To: <nznog(a)list.waikato.ac.nz> Sent: Wednesday, August 22, 2001 12:16 PM Subject: Re: XTRA network having problems?
"Gordon Smith" <gordons(a)morenet.net.nz> wrote:
Site is up. All ICMP is blocked at the border router, instead of just filtering out undesirable ICMP traffic...
If you're really filtering *all* ICMP traffic, you've broken it. Path MTU discovery relies on ICMP fragmentation-required messages getting through, and *lots* of TCP implementations rely on MTU path discovery. It works fine as long as the MTUs are all the same, but when they aren't, or if encapsulation such as ESP or GRE are in use, it doesn't.
ICMP is there for a reason. If you don't know what you're doing, don't touch it.
-- don --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
--------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog