On Wed, 7 May 2008, Michael Sinatra wrote: > Nathan Anderson/FSR wrote: >> Here is a brief update on the situation: >> >> I have been in contact with someone at Microsoft's service operations >> center, who has confirmed for me that MS does in fact block _all_ ICMP >> at the edge of their network, that they are aware that this will in fact >> break PMTUD, and that they have no current plans to change this practice >> which they have implemented in the interest of security. > > Although the need for your previous apology has already been questioned > in this forum, the confirmation that they block not only certain ICMP > types, but all ICMP, further vacates the need for any apology for > criticizing this behavior in a pubic forum. It is disheartening for > those of us who use and support MSFT's products to learn that their > understanding of security lacks even the basic nuance to know not to > block an entire--critical--portion of the Internet Protocol. Perhaps > they should also block _all_ TCP and UDP as well, and then we can move on. > > I agree with Iljitsch that it happens frequently, but I think I am > justified in expecting more than that from Microsoft. Anything less > would be unprofessional.
I wonder if MS knows about: ICMP Packet Filtering v1.2 from 2003: http://www.cymru.com/Documents/icmp-messages.html Only been around 5 years or so. Hopefully MS people reading this email will take note, read the entire page and implement what everyone else has been doing for a number of years. -Hank _______________________________________________ NANOG mailing list NANOG@nanog.org http://mailman.nanog.org/mailman/listinfo/nanog
