[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IKE negotiation for fragmentation controls in IPsec

> I keep hearing that most (may be some) firewalls can be explicitly
> configured to discard ICMP error messages.

It's worse than that.  Very many firewalls in the as-built internet
are configured to drop all ICMP packets.

I recommend attempting to visit a broad sampling of web sites (using
http and https) from a client which:

 1) advertises a TCP MSS of 1460 (corresponding to a 1500 byte MTU)

 2) has a <1500-byte MTU on the path due to tunnels, PPPoE, or other
    bottleneck links.

You will most likely discover that many of these sites will not
successfully talk to you or mysteriously hang mid-transaction.

I believe there's an alternate path mtu discovery proposal in the
works (there was a "plpmtud" BOF last IETF; I haven't followed what
happened to it).

						- Bill