In message <Pine.NEB.4.33.0112031151580.4384-100000@Apenheul.BigScaryChildren.n
et>, Rick Byers writes:
>
>On Mon, 3 Dec 2001, Martin Husemann wrote:
>
>> Which still means you have to do it for each and every machine behind a
>> pppoe router. It's hard to cope from our understanding of standards
>> conformance, but we *realy* need a MSS clamping option for routers!
>>
>> I've been dealing with completely clueless firewall admins at a client
>> for a few weeks now and just punted.
>
>I definantly agree.  Mike Pelley <mike@solidum.com>, is implementing
>in-kernel MSS clamping.  Anyone know if other OSes handle this directly in
>the TCP stack?  Since the problem applies to more than just PPPoE
>connenctions, and more than just ipnat setups - it makes sense to me to
>upport MSS clamping in the TCP stack directly.  However, I'm not aware of
>any other OS that does this.
>
>Rick
>
>
>
>
Routers shouldn't tinker with MSS's.  If nothing else, that won't work 
for non-TCP protocols or in the presence of IPsec.  The right answer is 
PMTU, and routers that see a small outbound link should emit the proper 
packet.  In particular, PPPoE routers tend to be user premises 
gateways, which should allay any security concerns.

		--Steve Bellovin, http://www.research.att.com/~smb
		Full text of "Firewalls" book now at http://www.wilyhacker.com