Re: [fw-wiz] Transparent proxies and PMTUD on the (WWW) serverside

From: Rick Murphy (rmurphy_at_mitretek.org)
Date: 08/27/03

  • Next message: TSimons_at_Delphi-Tech.com: "RE: [fw-wiz] Stop Using relays.osirusoft.com *NOW*!"
    To: Mikael Olsson <mikael.olsson@clavister.com>
    Date: Wed, 27 Aug 2003 08:44:37 -0400
    
    

    At 06:33 PM 8/26/2003, Mikael Olsson wrote:

    >Um, no. I'll rephrase Carson's mail for him:
    >
    >"If an ALG-based firewall system that implements transparency on
    >the client side has PMTUd on in the underlying operating system,
    >and the transparency code doesn't handle ICMP 'must frag'
    >errors, the firewall system is b0rken."

    Again, why? The proxy should be slurping up bits from the client and
    passing them up to the server (and vice-versa). The underlying IP stack
    handles PMTUd. There's no reason for the proxy to need to know that the
    PMTUd is taking place. (Or for the client to need to know, for that
    matter.)

    The only thing that's "b0rken" is that the two sides of the proxy
    conversation could have different MTUs. So what? There's no reason for
    the proxy to care about the MTU negotiation taking place - or for it to
    reflect that negotiation back to the client.

    The client sends however much data it can, the proxy reads what it
    gets, and transmits it onward to the server. If the server-side MTU is
    lower, the messages get fragmented by the IP stack. As long as your
    protocol isn't b0rken (i.e. every message sent by the client has to
    arrive at the server intact in a single packet), everything works. If
    the protocol is sensitive to packet boundaries, it won't work over the
    Internet. I like demonstrating these kinds of errors by interposing a
    SLIP link with a tiny MTU. Anything that won't work in the face of
    fragmentation isn't designed properly IMHO. (Or, it's at best a LAN
    protocol, not an Internet protocol).

    >So, yeah, ok, the ALG itself shouldn't care about ICMP errors.
    >But the transparency function / packet filter that makes
    >the ALG transparent surely should. And it doesn't make
    >the firewall a packet filter in my book.

    Transparency doesn't need to be as complex as that.
             -Rick

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: TSimons_at_Delphi-Tech.com: "RE: [fw-wiz] Stop Using relays.osirusoft.com *NOW*!"