-----BEGIN PGP SIGNED MESSAGE-----
>> > Yes; you can break PMTU discovery if you're not careful.
>> Don't the OSes that use large ICMP for PMTU discovery have a fall-back
>> mechanism? We are talking about older AIX and HPUX, right?
> I think the fall-back mechanism is the wond'rously complex `just don't
> bother' approach.
> Then again, some of PMTU confuses me anyway; why don't I see vast hordes of
> large icmp 8/0 packets in my firewall logs, one for each host I contact?
I don't think very many OSs use the large ICMP thing. It is (IMMHO) a
Bad Idea[tm] to begin with. With TCP connections, for example, we have
MSS (Maximum Segment Size) in the TCP options. This is now the default
for win and lin boxes.
For example, this just came in:
15:59:38.369629 220.127.116.11.3989 > xx.xx.xx.xx.111: S 2892768663:2892768663(0)
win 32120 <mss 1460,sackOK,timestamp 35171513[|tcp]> (DF) (ttl 50, id 25816, len 60)
0x0010 xxxx xxxx 0f95 006f ac6c 2597 0000 0000 xxxx...o.l%.....
0x0020 a002 7d78 4361 0000 0204 05b4 0402 080a ..}xCa..........
0x0030 0218 acb9 0000 ......
Despite the fact that it was a scan for portmapper (gee, pick a random
packet for example's sake and wouldn't you know it we have a probe :),
you can see that the DF flag was set so a route could fire back a
frag-needed icmp if it was needed (or didn't want to listen to the
options), but in the TCP options you see that the mss for the sender
A UDP data stream would need to rely on the old frag-needed ICMP to
find the MTU. Because of paranoid people like us, MTU discovery is
becoming more and more broken all the time as ICMP is more and more
considered to be a bad thing to allow.
-----BEGIN PGP SIGNATURE-----
Comment: Keeping the world safe for geeks.
-----END PGP SIGNATURE-----