>>>>> "Greg" == Greg A Woods <woods@most.weird.com> writes:
    Greg> What you've said (about the protocol being fine vs. needing to pay
    Greg> attention to ICMP issues) is somewhat self contradictory.  It

  You need to expand this a bit.
  ICMP is a part of IP. It doesn't stand on its own. If you don't handle
ICMP, then you haven't implemented IP. 

    Greg> doesn't really matter how the ICMP "needs frag" packet gets lost if
    Greg> its loss can cause something like a TCP/IP connection to fail.

    Greg> extra transmissions), and in the case of TCP connections
    Greg> implementing a retry without DF if there's neither an ACK nor an
    Greg> ICMP reply in a reasonable time would make the server more robust.

  Agreed. 
  This is known as black hole detection. 

    Greg> (Until I scanned through RFC 1191 just recently I didn't realize
    Greg> PMTUD was normally at the IP level, and not only at the TCP level

  It is just easiest with TCP, since you have something that you can do
other than fragment.... 

    Greg> My initial reading of RFC 1191 suggests that some of the suggested
    Greg> implementations are at least as complex as my proposal, if not more
    Greg> so.  (eg. keeping track of all PMTU values and aging them out,
    Greg> etc.)

  Except that the PMTU work happens at the edges, and not on the router.

    Greg> Convincing firewall vendors to not allow filtering of normal ICMP
    Greg> should not require any changes in the RFCs -- quite the opposite
    Greg> actually.

  My point is that it may require a document that explains to them why
they are non-compliant.

   :!mcr!:            |  Network and security consulting/contract programming
   Michael Richardson |         Firewalls, TCP/IP and Unix administration
 Personal: http://www.sandelman.ottawa.on.ca/People/Michael_Richardson/Bio.html
 Corporate: http://www.sandelman.ottawa.on.ca/SSW/
	ON HUMILITY: To err is human, to moo bovine.