> -----Original Message----- > From: Owen DeLong > Sent: Thursday, February 16, 2012 8:48 PM > To: Masataka Ohta > Cc: nanog@nanog.org > Subject: Re: Common operational misconceptions > > > On Feb 16, 2012, at 5:11 PM, Masataka Ohta wrote: > > > Andreas Echavez wrote: > > > >> *Why disabling ICMP doesn't increase security and only hurts the > web* > >> *(path MTU discovery, diagnostics) > > > > That PMTUD works is a misconception. > > > > It actually works where people have not made active efforts to break > it.
Modern (RFC 4821) PMTUD that is used by default by Solaris and Microsoft does not require ICMP and works well. For Linux you have to enable it: /proc/sys/net/ipv4/tcp_mtu_probing = 1 or 2 (I believe the default is still 0 which means it relies on ICMP for PMTUD by default and you must turn on RFC 4821 PMTUD). If you're relying on ICMP for PMTUD, still, then yeah, you probably run into problems from time to time but fewer stacks use that method of PMTUD these days.
