[Freeswitch-users] ICMP... and MTU

Claus Andersen clan at wheel.dk
Wed Feb 19 19:07:54 MSK 2014


On Tue, 18 Feb 2014, Lawrence Conroy wrote:

> Problem (at least over this side of the pond) is customers using the cheapo routers provided by their ISP.
> These are often pre-configured in strange and stupid ways, or have ISPs who use TR-069 remote "configuration, for your comfort and enjoyment" that achieves the same purpose. However, at least there's a chance these can be fixed. Educating the customers is hard, but if you care, typically you CAN configure your own box to not zap PMTUD.
> It should be little surprise that the same firmware/UI that has such broken SIP ALG "support" also doesn't make it easy to block selected ICMP types.
> It sure isn't a surprise to me that these "free" routers also don't handle fragments and so get confused with some DNS traffic. Tried DNSSEC, anyone?

Each market has its own idiosyncrasies. Being on the same side of the pond 
but with subtle little addition: All ADSL lines are terminated at the CPE. 
This means that you are not allowed to supply you own DSL modem but have 
to suffer whatever (still chepo) router du jour the ISP in their infinate 
wisdom have choosen. If you are lucky you can get them to (for a fee) 
enable bridge mode where they in most(!) cases stop touching the traffic. 
To add additional pain to the suffering most of them are using 
"customized" firmwares which are often not kept timely up-to-date or they 
simply stopped caring.

That is just the usual residential and small office pains...

And then we have the "enterprise" (and wannabes). They have the proper 
equipment but the IT departments are often - shall we say - lacking. 
Lawrences observations are spot on.

So to get back to Brians original question: Where do you see the issues? I 
see them widely in both places and it comes down to the same basic issue: 
Nobody really cares! Getting things to really work *properly* is only a 
concern of a very very select few people. And most of the problems comes 
down to $$$

Residentials: The ISP only needs to push a simple product which is good 
enough for surfing. The quality of the firmswares being used on their CPE 
clearly demonstrates this. If you are into conspiracies you may not that 
many big ISPs are also telco's - but I honestly think it is more a 
question of $$$. Why supply a good CPE if most people accept the cheaper 
alternative. Sometimes you are able to configure them properly - other 
times that "feature" has been removed for simplicity

Commercial: Most firewall admins I have been in touch with have often not 
had a full understanding of their field. And those who had where often 
impaired with a "security" deparment/commitee/person/etc. Large 
organisations have the muscle to hire real networking people - but 
unfortunately they hire "security" personel at the same time.

The mainstream only learns from large mainstream problems. They have heard 
of "ping of death" which translates into ICMP=BAD! Whenever you come and 
try to educate people on the subject the typical reaction is not to 
readily embrace the more informed approach. Their stance is then that 
everything else is working and that you have a problem with your 
technology - because we know ICMP=BAD!

And along the same lines: Try arguing that NAT is bad and that IP was 
invented as a point to point protocol. Mainstream interpretation: 
NAT=firewall - "You said that we do not need firewalls!". Sorry - this was 
not meant as flamebait.

Luckily I do rarely deal with residential installs in my professional 
life. But on the commercial side we very very often end up spending more 
money on equipment rather than doing things "correctly". In the enterprise 
it is often easier to setup a seperate firewall/router for interconnect 
rather than getting the already existing infrastructure to play ball. And 
even to do that it ends up being easier to use seperate lines to avoid a 
lot of read tape! Truly a sad state of affairs...

I took the bait and ended up ranting. My apologies!

Kind Regards,
Claus Andersen



Join us at ClueCon 2013 Aug 6-8, 2013
More information about the FreeSWITCH-users mailing list