In message <H0000b6d066815cd@MHS>, peter.schawackerat_private writes: > >--openmail-part-14c50c8a-00000001 >Content-Type: text/plain; charset=US-ASCII; name="BDY.TXT" >Content-Disposition: inline; filename="BDY.TXT" >Content-Transfer-Encoding: 7bit > >How could blocking all ICMP cause a problem? I have worked with two rather >large networks that blocked all ICMP at the router level. Were we just lucky >not to have any problems? It's very important to allow 'ICMP Can't Fragment' messages in. Otherwise, Path MTU (RFC 1191) breaks, and you may find yourself unable to talk to certain sites. The only reason most people haven't seen this yet is that most links support 1500-byte MTUs, so the problem isn't triggered. If you have a smaller MTU somewhere -- for example, if you have an IPsec tunnel -- you won't be able to talk to some very popular Web sites. --Steve Bellovin
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:58:02 PDT