[Freeswitch-users] ICMP... and MTU
clan at wheel.dk
Wed Feb 19 19:07:54 MSK 2014
On Tue, 18 Feb 2014, Lawrence Conroy wrote:
> Problem (at least over this side of the pond) is customers using the cheapo routers provided by their ISP.
> These are often pre-configured in strange and stupid ways, or have ISPs who use TR-069 remote "configuration, for your comfort and enjoyment" that achieves the same purpose. However, at least there's a chance these can be fixed. Educating the customers is hard, but if you care, typically you CAN configure your own box to not zap PMTUD.
> It should be little surprise that the same firmware/UI that has such broken SIP ALG "support" also doesn't make it easy to block selected ICMP types.
> It sure isn't a surprise to me that these "free" routers also don't handle fragments and so get confused with some DNS traffic. Tried DNSSEC, anyone?
Each market has its own idiosyncrasies. Being on the same side of the pond
but with subtle little addition: All ADSL lines are terminated at the CPE.
This means that you are not allowed to supply you own DSL modem but have
to suffer whatever (still chepo) router du jour the ISP in their infinate
wisdom have choosen. If you are lucky you can get them to (for a fee)
enable bridge mode where they in most(!) cases stop touching the traffic.
To add additional pain to the suffering most of them are using
"customized" firmwares which are often not kept timely up-to-date or they
simply stopped caring.
That is just the usual residential and small office pains...
And then we have the "enterprise" (and wannabes). They have the proper
equipment but the IT departments are often - shall we say - lacking.
Lawrences observations are spot on.
So to get back to Brians original question: Where do you see the issues? I
see them widely in both places and it comes down to the same basic issue:
Nobody really cares! Getting things to really work *properly* is only a
concern of a very very select few people. And most of the problems comes
down to $$$
Residentials: The ISP only needs to push a simple product which is good
enough for surfing. The quality of the firmswares being used on their CPE
clearly demonstrates this. If you are into conspiracies you may not that
many big ISPs are also telco's - but I honestly think it is more a
question of $$$. Why supply a good CPE if most people accept the cheaper
alternative. Sometimes you are able to configure them properly - other
times that "feature" has been removed for simplicity
Commercial: Most firewall admins I have been in touch with have often not
had a full understanding of their field. And those who had where often
impaired with a "security" deparment/commitee/person/etc. Large
organisations have the muscle to hire real networking people - but
unfortunately they hire "security" personel at the same time.
The mainstream only learns from large mainstream problems. They have heard
of "ping of death" which translates into ICMP=BAD! Whenever you come and
try to educate people on the subject the typical reaction is not to
readily embrace the more informed approach. Their stance is then that
everything else is working and that you have a problem with your
technology - because we know ICMP=BAD!
And along the same lines: Try arguing that NAT is bad and that IP was
invented as a point to point protocol. Mainstream interpretation:
NAT=firewall - "You said that we do not need firewalls!". Sorry - this was
not meant as flamebait.
Luckily I do rarely deal with residential installs in my professional
life. But on the commercial side we very very often end up spending more
money on equipment rather than doing things "correctly". In the enterprise
it is often easier to setup a seperate firewall/router for interconnect
rather than getting the already existing infrastructure to play ball. And
even to do that it ends up being easier to use seperate lines to avoid a
lot of read tape! Truly a sad state of affairs...
I took the bait and ended up ranting. My apologies!
Join us at ClueCon 2013 Aug 6-8, 2013
More information about the FreeSWITCH-users