[Freeswitch-users] ICMP... and MTU
Lawrence Conroy
lconroy at insensate.co.uk
Wed Feb 19 01:48:50 MSK 2014
Hi Brian, folks,
Understood, agreed, and sympathise.
Problem (at least over this side of the pond) is customers using the cheapo routers provided by their ISP.
These are often pre-configured in strange and stupid ways, or have ISPs who use TR-069 remote "configuration, for your comfort and enjoyment" that achieves the same purpose. However, at least there's a chance these can be fixed. Educating the customers is hard, but if you care, typically you CAN configure your own box to not zap PMTUD.
It should be little surprise that the same firmware/UI that has such broken SIP ALG "support" also doesn't make it easy to block selected ICMP types.
It sure isn't a surprise to me that these "free" routers also don't handle fragments and so get confused with some DNS traffic. Tried DNSSEC, anyone?
However, the biggest problem in my experience is trying to explain to corporate IT folk why they should not do this. Yesterday I spent nearly an hour trying to explain to a corporate IT "network security specialist" why blocking NTP was not a good idea, and that he had just b*gg*r*d up a couple of hosted servers by doing that, and no, reflection attacks using NTP being in the news is not a good enough excuse. They have kit with very flexible interfaces, but IMHO have equally inflexible ideas.
Finally, corporate kit is not always immune to its own stupidities. Whacky NAT support that didn't interwork with the original STUN specs was mostly found in corporate kit, not residential stuff. In an entirely unrelated note, the main movers to update the STUN spec to its current unusable bulk came from CISCO folk, as they claimed that STUN didn't work "for a significant percentage of existing equipment". I will also forgive them in another life for their early interpretation of the SIP specs; hands up all those who had to work around the 'who needs quotes in a SIP message?' or 'LWS means exactly one space character, mostly, except when it means none' funnies.
One advantage of corporate IT departments is that you can apply a (Taser/cattle prod/clue stick) to a small number of people to achieve results for a lot of users; for residential customers/remote teleworkers it tends to be one by one.
Ah, I feel much better for that.
all the best,
Lawrence
On 18 Feb 2014, at 20:25, Brian West wrote:
> I want to open a discussion on this topic, I’m sure many of you fine freeswitchers have encountered the pain of exceeding the MTU and things not handling it properly. I’ve also see this mindset that blocking all ICMP will somehow make your network more secure, In doing this you’re actually breaking PMTU and the internet in general. So check your firewalls, if you’re blocking repent now and fix it… Input and discussions would be welcome on this topic.
>
> I think this issue is more of an issue facing residential installs vs commercial installs… What have you seen?
Join us at ClueCon 2013 Aug 6-8, 2013
More information about the FreeSWITCH-users
mailing list