"Gordon Smith" wrote:

Site is up. All ICMP is blocked at the border router, instead of just filtering out undesirable ICMP traffic...

If you're really filtering *all* ICMP traffic, you've broken it. Path MTU discovery relies on ICMP fragmentation-required messages getting through, and *lots* of TCP implementations rely on MTU path discovery. It works fine as long as the MTUs are all the same, but when they aren't, or if encapsulation such as ESP or GRE are in use, it doesn't. ICMP is there for a reason. If you don't know what you're doing, don't touch it. -- don --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog

Yes. blocking all ICMP breaks things ( The ASB's Web Site is a good example that breaks through GRE Tunnels because of MTU Discovery not working right) Thanks Craig Whitmore Orcon Internet http://www.orcon.net.nz ----- Original Message ----- From: "Don Stokes" To: Sent: Wednesday, August 22, 2001 12:16 PM Subject: Re: XTRA network having problems?

"Gordon Smith" wrote:

...

Site is up. All ICMP is blocked at the border router, instead of just filtering out undesirable ICMP traffic...

If you're really filtering *all* ICMP traffic, you've broken it. Path MTU discovery relies on ICMP fragmentation-required messages getting through, and *lots* of TCP implementations rely on MTU path discovery. It works fine as long as the MTUs are all the same, but when they aren't, or if encapsulation such as ESP or GRE are in use, it doesn't.

ICMP is there for a reason. If you don't know what you're doing, don't touch it.

-- don --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog

--------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog

Now correct me if I'm wrong. But hasn't xtra/telecom always filtered out ICMP? Dean On Wed, Aug 22, 2001 at 12:16:53PM +1200, Don Stokes wrote:

"Gordon Smith" wrote:

...

Site is up. All ICMP is blocked at the border router, instead of just filtering out undesirable ICMP traffic...

If you're really filtering *all* ICMP traffic, you've broken it. Path MTU discovery relies on ICMP fragmentation-required messages getting through, and *lots* of TCP implementations rely on MTU path discovery. It works fine as long as the MTUs are all the same, but when they aren't, or if encapsulation such as ESP or GRE are in use, it doesn't.

ICMP is there for a reason. If you don't know what you're doing, don't touch it.

-- don --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog

--------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog

On Wed, Aug 22, 2001 at 01:32:01PM +1200, Gordon Smith wrote:

I can't trace past their ape connection...

Can't recall having ever being able to do so.

Short memory :) On Tue, Aug 21, 2001 at 08:24:57PM -0400, Joe Abley wrote:

http://maggie.automagic.org/cgi-bin/mtr.cgi?p=4&c=5&t=202.49.143.70

maggie$ mtr -4 --report --report-cycles 1 "202.49.143.70" HOST LOSS RCVD SENT BEST AVG WORST gateway1-acc-skyt.qsi.net.nz 0% 1 1 1.60 1.60 1.60 xtra.ape.net.nz 0% 1 1 3.39 3.39 3.39 100% 0 1 0.00 0.00 0.00 maggie$ --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog

Before anyone goes accusing people of "Breaking the Net" we should probably ask someone at Xtra what their policy actually is. Is there anyone on the list from Xtra who wants to comment on which ICMP they actually block (if any) Dean On Wed, Aug 22, 2001 at 01:46:37PM +1200, Craig Whitmore wrote:

I have no idea.. but if someone is filtering out All ICMP on Public Routable Addresses then they are "Breaking the NET" for a large number of users.. A little anoying yes. Also still a large number of routers still break ECN :-(

Thanks Craig Whitmore Orcon Internet http://www.orcon.net.nz

----- Original Message ----- From: "Dean Pemberton" To: "Don Stokes" Cc: Sent: Wednesday, August 22, 2001 1:02 PM Subject: Re: XTRA network having problems?

...

Now correct me if I'm wrong. But hasn't xtra/telecom always filtered out

ICMP?

...

Dean

On Wed, Aug 22, 2001 at 12:16:53PM +1200, Don Stokes wrote:

...

"Gordon Smith" wrote:

...

Site is up. All ICMP is blocked at the border router, instead of just filtering out undesirable ICMP traffic...

If you're really filtering *all* ICMP traffic, you've broken it. Path MTU discovery relies on ICMP fragmentation-required messages getting through, and *lots* of TCP implementations rely on MTU path discovery. It works fine as long as the MTUs are all the same, but when they aren't, or if encapsulation such as ESP or GRE are in use, it doesn't.

ICMP is there for a reason. If you don't know what you're doing, don't touch it.

-- don --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog

--------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog

--------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog

Both work for me, using Lynx. Both set cookies, first site gets trailing dots removed...

-----Original Message----- From: Joe Abley [mailto:jabley(a)automagic.org] Sent: Wednesday, 22 August 2001 12:25 To: Gordon Smith Cc: Ben Martel; nznog(a)list.waikato.ac.nz Subject: Re: XTRA network having problems?

On Wed, Aug 22, 2001 at 11:57:56AM +1200, Gordon Smith wrote:

...

Site is up. All ICMP is blocked at the border router, instead of just filtering out undesirable ICMP traffic...

To which address?

www.nbnz.co.nz A 202.49.143.70 www.nbnz.co.nz A 210.55.168.70

They both behave differently from where I'm looking.

http://maggie.automagic.org/cgi-bin/mtr.cgi?p=4&c=5&t=202.49.143.70 http://maggie.automagic.org/cgi-bin/mtr.cgi?p=4&c=5&t=210.55.168.70

jabley(a)maggie[134]$ telnet 202.49.143.70 80 Trying 202.49.143.70... Connected to 202.49.143.70. Escape character is '^]'. ^] telnet> quit Connection closed. jabley(a)maggie[135]$ telnet 210.55.168.70 Trying 210.55.168.70... ^C jabley(a)maggie[136]$

--------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog