In article <200601261615.LAA28076@Sparkle.Rodents.Montreal.QC.CA>,
der Mouse  <mouse@Rodents.Montreal.QC.CA> wrote:
>>>> Bugs have to be fixed, not worked around by disabling a feature.
>>> I agree.  But then why do we support MSS clamping?
>> Because we cannot make Verizon stop using pppoe :-)
>
>PPPoE is not the problem either; it merely is the commonest cause of
>setups which expose the problem.  Making Verizon stop using PPPoE would
>just be another workaround.
>
>The real problem is on the other end: hosts which try to do PMTU-D, but
>are behind boxes (usually misconfigured firewalls) which drop the ICMPs
>necessary for PMTU-D to function.

It is not just misconfigured firewalls. Even if you have PMTU-D, things
get interesting if you try to do IPSEC over such a link and NAT... I've
gotten things to work, but only with MSS clamping. Otherwise my windows
boxes behind the NAT/IPSEC NetBSD gateway silently drop packets in a
specific size range... Try it. It could be a bug in the NetBSD fragmentation
code or something else. I don't know.

christos