[NANOG] Microsoft.com PMTUD black hole?

[bjorn at mork.no (Bjørn Mork)]

Iljitsch van Beijnum <iljitsch at muada.com> writes:

> Now Microsoft is also the company that built the OS that could be  
> crashed by a maliciously crafted fragmented IP packet, so maybe  
> there's something to this security policy. (One hopes that this bug  
> and others like it are now fixed.)

Although the fact that Microsoft block all icmp makes me wonder which
unfixed icmp related security holes they know about...  

I am not saying that there are any such holes in current Windows
versions, but I will certainly not use a Windows server in an
environment where I could receive icmp after learning that Microsoft
themselves don't trust Windows' icmp handling.

After all, Microsoft must have a reason to block all icmp.  Or?

> However, in that case the only workable course of action would be TO  
> DISABLE PATH MTU DISCOVERY!
>
> You can't have your cake and eat it too.

But maybe the death of icmp is worth some sort of ceremony?  Cake or
not. 



Bj?rn