> But still, would it be so terrible to have a sysctl to enable fragmenting
> even when DF is set? O:-)

Yes.

ip reassembly uses the ip_id field (packet id) as part of the key used
to recognize when fragments are part of the same packet.

The id field is normally not used for anything when DF is set..

As a result, some ip implementations out there may "cheat" and not
fill in a short-term unique value in that case.

There's also a proposal floating around which recommends in-flight
modification of the "id" field in packets with DF set to include
tracing information (to allow DDoS packet floods with forged source
addresses to be traced back to their origin).

Either of these "cheats" can generate collisions in ip_id values --
complicating correct reassembly on the other end.

						- Bill