[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: linux-ipsec: cornered: MTU and fragmentation bugs

[ NOTICE!  This list will be hosted at lists.tislabs.com as of March 26.
There is no need to resubscribe, if you are on the list, you will remain
on it.  Just begin sending posts, and any administrative requests to
lists.tislabs.com as of now.  List mail to tis.com will cease to be
delivered as of March 26, 1999.  ]

> It isnt [sic] the products, its [sic] the morons who install them.  They 
> have basically made the internet a 1500 mtu fixed size network.

Indeed "they" have.  When I first started living on an IPSec tunnel to my
house, I had to figure out why it was that I couldn't surf abcnews.com.  Every
other site I tried worked fine, just not abcnews.com.

It turns out that they're sending full ethernet-sized MTU datagrams with DF
set on all their packets.  Furthermore, they're clearly filtering all ICMP in
their boarder gateway router...  Sigh.

We're just going to have to take the time to painfully educate these network
managers if we want to see IPSec widely deployed.  Calling them morons, while
perhaps accurate, isn't going to fix the problem.  :-)