On Wed, Jul 24, 2002 at 11:03:37PM +1200, Juha Saarinen wrote:
On Wed, 24 Jul 2002, Craig Whitmore wrote:
I've found lots of places which say blocking the icmp stuff for PTMU stuff is wrong (causing this issue). Where did the people who do block it get the idea from to actually do this and "break things" for their clients. Maybe they should be a warning up on their web page saying "People who have Fragmented TCP/IP packets will not be able to access this site properly because we are too lazy to fix our firewalls" (well its what it sounds like on the news article)
Firewall issues apart, I believe the problem is that the banks in question have networks with smaller than 1,500 byte MTUs, but not advertising the fact, so it's not a question of "people having fragmented packets" as such.
No. The problem is that there is a sub-1500-byte MTU interface on a router somewhere between the bank's firewall and the client, and the bank's servers are not being informed of this fact because bank firewalls are dropping the "would fragment" messages. You'd hope that banks would employ people who actually knew something about security, but apparently not. - To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog