Subject: Re: DF strikes again
To: itojun@iijlab.net, Current Users <current-users@NetBSD.ORG>
From: Jason R Thorpe <thorpej@zembu.com>
List: current-users
Date: 03/15/2001 08:15:50
On Thu, Mar 15, 2001 at 02:36:26PM +0200, Jukka Marin wrote:

 > Then how do you correct a situation where MTU is too small and some remote
 > site is doing PMTU discovery _and_ blocking ICMP packets?  Yes, the problem
 > should be fixed at the remote site, but what if you NEED to use that site
 > and they do NOT fix the problem?

The correct solution is to fix the broken firewall.

But, failing that, the endpoints should do something called "Black Hole
Discovery", which detects ICMP black-holes and works around the braindamage
in some way.

Bill Sommerfeld contributed some text to an I-D/RFC some time back that
discusses this issue -- something along the lines of "firewalls MUST NOT
block packets that the legitimate use of the Internet rely on for proper
operation" or something like that.  So, the trick is to find the RFC #,
and contact the owner of the firewall and scream that they are "not
RFC-mumble compliant!!!"  :-)

-- 
        -- Jason R. Thorpe <thorpej@zembu.com>