CCIE Security Exam: RFC 4890 PMTUD Firewall Rules

RFC 4890 PMTUD Firewall Rules

Prev Question Next Question


Based on RFC 4890, what is the ICMP type and code that should never be dropped by the firewall to allow PMTUD?



Click on the arrows to vote for the correct answer

A. B. C. D. E. F.


Sure, I'd be happy to provide a detailed explanation.

Path Maximum Transmission Unit Discovery (PMTUD) is a technique used to discover the largest packet size that can be transmitted across a network path without fragmentation. PMTUD relies on ICMP messages to notify the sender when packets are being dropped due to being too large for a particular network link. The sender can then adjust the packet size to prevent further fragmentation.

RFC 4890 provides guidelines for network administrators and firewall designers on handling ICMPv6 traffic. Specifically, it states that ICMPv6 Type 2 Code 0 packets (Packet Too Big) should never be dropped by firewalls.

The Packet Too Big message is sent by a router when it receives an IPv6 packet that is too large to be forwarded to the next hop without fragmentation. The message includes the Maximum Transmission Unit (MTU) of the next hop, which allows the sender to adjust the packet size accordingly.

If firewalls were to drop Packet Too Big messages, PMTUD would fail, and the sender would continue to send packets that are too large, resulting in fragmentation and reduced network performance.

Therefore, the correct answer to this question is C. ICMPv6 Type 2 Code 0 (Packet Too Big) should never be dropped by the firewall to allow PMTUD to function correctly. Answers A, B, D, E, and F are all incorrect, as none of these ICMPv6 messages are related to PMTUD or critical to network performance.