On Wed, 16 Jun 2004 11:23:44 EDT, Mike S said: > Any router configured to block ICMP packets is, quite simply, > in violation of RFC792 (STD5), which clearly states "ICMP is actually > an integral part of IP, and must be implemented by every IP module." > For a router, "implemented" means forwarded to the destinations next > hop. > > So the fact is, by blocking ICMP, such ISPs have broken IP connectivity, > and can no longer claim to be providing Internet (IP) service. Be careful there - that's uncomfortably close to saying that every firewall in existence is in violation of the RFCs, because they intentionally don't make a best-effort attempt to deliver every packet (I know of no vendors whos gear *can't* forward ICMP - but know plenty that provide knobs to prevent it under administrative control (i.e. a firewall))... An even more annoying problem is when our site sends a packet with the DF bit set, it hits a tunnel near the far end - and the ICMP returned has an RFC1918 source address (You tier-1 and tier-2 who number their links out of 1918 know who you are..;). The ICMP is then dropped on the return path by a router properly implementing martian filtering...
Attachment:
pgp00452.pgp
Description: PGP signature
_______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf