From: barmar@alum.mit.edu
In article ,
Jorgen Grahn wrote:
> On 03 Jun 2009 16:28:16 GMT, Casper H.S Dik wrote:
> > David Schwartz writes:
> >
> >>I can't figure out what you're talking about. What does "enable PMTU
> >>on our end-points" mean? You mean enable PMTU detection? If the
> >>endpoints do PMTU detection, it doesn't matter what the middle does.
> >>The endpoints will figure out the largest packet that arrives
> >>unfragmented.
> >
> > No, it requires that packets which are two big and which have DF set:
> > will be dropped
> > an ICMP message will be send.
> > and the ICMP packet will make it to the sender
> >
> > In order for the link to support PMTU, all parts in the link must
> > follow the RFCs, including the endpoint and firewalls which may
> > drop all ICMP messages.
>
> And then the question is, is this situation so common that you have to
> care about it?
Unfortunately, yes.
> A network where something firewalls away important, low-rate ICMP
> messages is, to me, not a real IP network. And yet it seemed to me
> when I googled recently that many people distrust PMTU. As in "oh,
> that will never work. Let's implement this ugly kludge instead to
> solve our fragmentation issues".
The problem is that many people take a very simplistic approach to
firewalling. They think ICMP is just used for ping, and they don't want
people pinging them, so they just block ICMP rather than get specific
about the ICMP types.
I think things have gotten better over time, as PMTUD became more common
and people ran into problems due to the blocking. But it probably still
happens enough that people need to worry about it.
--
Barry Margolin, barmar@alum.mit.edu
Arlington, MA
*** PLEASE don't copy me on replies, I'll read them in the group ***
--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)
|
