Subject: Re: DF strikes again
To: Bill Sommerfeld <firstname.lastname@example.org>
From: Andrew Brown <email@example.com>
Date: 03/15/2001 15:08:57
>> i think the use of "outgoing" and "incoming" here is probably enough
>> for people to insist that they're not doing anything wrong. after
>> all, it says nothing about incoming traffic with the DF bit or
>> outgoing ICMP messages, which is usually where the problem is.
>This would only be a problem if the bottleneck is *inside* the
>In practice the problems occur with configurations looking like:
> inside outside
> web server === firewall ============= t1 ---- t2 ====== client
>'=' is 1500 byte MTU
>'-' is smaller MTU
>In this case, the web server is sending out DF packets of size 1500
>bytes; t1 sends back a "frag needed" ICMP, which is being dropped by
which could just as easily be a situation like this:
client ============== firewall ==== t1 ---- t2 ==== web server
>Large packets sent by "client" wind up hitting the bottleneck at t2,
>get the "frag neededs" and adapt.
...so that large packets from the client wind up getting dropped and
no notification makes it back to the client.
>If t1/t2 are buggy and don't send the "frag needed" errors, that's
>another matter entirely (not a firewall bug).
|-----< "CODE WARRIOR" >-----|
firstname.lastname@example.org * "ah! i see you have the internet
email@example.com (Andrew Brown) that goes *ping*!"
firstname.lastname@example.org * "information is power -- share the wealth."