[LINK] For Windows Vista Security, Microsoft Called in Pros
Craig Sanders
cas at taz.net.au
Wed Jan 17 10:38:41 AEDT 2007
On Wed, Jan 10, 2007 at 10:27:02AM +1100, Howard Lowndes wrote:
> >Also, can anyone pinpoint why I can't view this page (in Mozilla 1.4 -
> >ok, I said I was planning to upgrade...but haven't quite got there yet)
> ><http://www.dcita.gov.au/communications_and_technology/consultation_and_submissions/review_of_the_structure_and_operation_of_the_.au_internet_domain>
>
> Without going into too much research it looks like a problem with their
> TCP stack. The first packet appears and then the sockets stall,
> probably doing the ACK.
that's often a sign that some moron has misconfigured a firewall to
block *ALL* ICMP traffic, including ICMP "fragmentation required" (i.e.
"packet is too big, send smaller packets") - this idiocy causes, amongst
other problems, Path MTU Discovery to fail.
given that you can't ping www.dcita.gov.au, that seems a pretty likely
cause.
the actual symptom is that small packets get through, but larger ones
don't. so a http HEAD request will work, but a GET will fail - which is
what is happening here. another common symptom is that small emails (a
line or two of text) will get through, but larger ones wont.
for more info on why blocking ICMP is broken, see:
Broken Path MTU Discovery:
http://www.burgettsys.com/stories/56239/
which describes the problem AND contains a link to a site with a good
explanation of PMTU Discovery: http://www.netheaven.com/pmtu.html
and
Common ISP Mistakes:
http://www.freelabs.com/~whitis/isp_mistakes.html
craig
--
craig sanders <cas at taz.net.au> (part time cyborg)
More information about the Link
mailing list