In the past, I have complained about problems where an internet host
is trying to do PMTU discovery, but is behind a firewall which blocks
the ICMP unreachable messages.

It seems that this misconfiguration has become quite widely used here
in Finland.  Banks and other organizations are doing this and effectively
blocking access to their services from hosts located behind MTU limited
connections.

For example, I am using gif to tunnel a subnet over an adsl connection.
The default MTU of gif is 1280 bytes - and some hosts are using 1460
byte packets with DF set, so my NetBSD router cannot send the packets
over the tunnel.

I tried "ifconfig gif0 mtu 1500" and, according to "ifconfig gif0", the
new MTU value was set - but the router STILL reports it can't transmit
the 1460 byte packets over the tunnel.  (Why doesn't the new MTU value
work - or if gif can't use an MTU that high, then why doesn't ifconfig
say so?)

I will e-mail to some of the misconfigured places and try to make them
fix their firewalls - but it seems this will soon take up all my time
and some sites don't even bother replying to mail, even less do they
want to fix the problem.

How about adding a sysctl variable that would make NetBSD fragment the
packets, even if the DF flag is set?  I know this is wrong, but it would
make things work much easier than having to explain these Damn Fools
what they are doing wrong.  How does one add a sysctl'able variable?
Could this feature become part of NetBSD (I know I can hack the kernel
sources, but I don't like doing it over and over again to every NetBSD
version..)

It would still be nice if MTU=1500 worked with gif, though.. Why is MTU
1280?  Because the original IP packet must be encapsulated inside another
IP header?

  -jm