> > So, the trick is to find the RFC #, and contact the owner of the
> > firewall and scream that they are "not RFC-mumble compliant!!!" :-)
> 
>  Good luck. I often refer admins to
> http://www.worldgate.com/~marcs/mtu/.

ok, quoting chapter and verse:

RFC2979, "Behavior of and requirements for Internet Firewalls"

   The introduction of a firewall and any associated tunneling or
   access negotiation facilities MUST NOT cause unintended failures
   of legitimate and standards-compliant usage that would work were
   the firewall not present.

...

   By the transparency rule, a packet-filtering router acting as a
   firewall which permits outgoing IP packets with the Don't Fragment
   (DF) bit set MUST NOT block incoming ICMP Destination Unreachable /
   Fragmentation Needed errors sent in response to the outbound packets
   from reaching hosts inside the firewall, as this would break the
   standards-compliant usage of Path MTU discovery by hosts generating
   legitimate traffic.

   On the other hand, it's proper (albeit unfriendly) to block ICMP Echo
   and Echo Reply messages, since these form a different use of the
   network, or to block ICMP Redirect messages entirely, or to block
   ICMP DU/FN messages which were not sent in response to legitimate
   outbound traffic.

Note that there's a lot of room for flexibility here.. folks with ICMP
phobias can always turn off path mtu discovery on the nodes
"protected" by the firewall..

						- Bill