Peter Lebbing peter at digitalbrains.com
Fri Aug 15 21:14:49 CEST 2014

On 15/08/14 19:27, Robert J. Hansen wrote:
> I may be insisting on usual semantics for "misconfiguration," 
> though.

Okay. So an administrator willingly creates a PMTU blackhole? He *wants*
the people trying to communicate through his firewall to fail on
connections where the PMTU is smaller than the MTU of the networks at
the endpoint? That is, only failing as soon as they send big packets. So
for instance, an SMTP session will correctly authenticate. Both peers
are completely happy. Then, when it's time for the mail to pass, all
suddenly inexplicably falls silent. Hard to debug if you don't know
about PMTU blackholes!

The iptables man page calls it this (TCP MSS clamping target):

> This  target  is  used  to overcome criminally braindead ISPs or 
> servers which block "ICMP Fragmentation Needed" or "ICMPv6 Packet
> Too Big" packets.

That is a direct quote, not my words.

But I most bloody emphatically agree. Criminally braindead. Should not
be allowed to touch network equipment. You don't let your the brakes in
your sometimes mentioned sweet car be serviced by the cleaning lady, do
you? In a similar vein, I wished network administration were left to
people who are not criminally braindead.

> I am generally of the opinion that when someone deliberately 
> configures something in a foolish way, well -- that's folly, not a 
> misconfiguration.

I would only agree when the one doing the configuration actually thought
through the consequences. At least the big consequences.

Blocking all ICMP is incredibly stupid.

You might have noticed I feel very strongly about this. I hate meddling
with packets at routers that shouldn't be touching them and completely
violating the layering of the network to deal with f***ing idiots.


I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>

More information about the Gnupg-users mailing list