Subject: Re: SOLVED! The cause of puzzling TCP (eg. WHOIS) connection failures with some hosts
To: None <>
From: Michael C. Richardson <>
List: tech-net
Date: 11/22/1998 15:08:54
>>>>> "Perry" == Perry E Metzger <> writes:
Perry> You could also use simulated packet generation techniques to
Perry> eliminate such covert channels. If you know what the path MTU
Perry> actually is, the firewall can generate the ICMPs on behalf of the
Perry> interior systems, or can block ICMPs that lie about the path MTU,
Perry> both to prevent covert channels. In any case, nothing is gained by
Perry> *not sending the messages at all*.
Agreed. Further, the firewall benefits by making the TCP MSS match the
Path MTU: it doesn't have to do as much fragment reassembly.
:!mcr!: | Network and security consulting/contract programming
Michael Richardson | Firewalls, TCP/IP and Unix administration
ON HUMILITY: To err is human, to moo bovine.