> i think the use of "outgoing" and "incoming" here is probably enough for
> people to insist that they're not doing anything wrong.

 I doubt they know what they are doing, after all they are just following the
usual security line of "block everything by default". It's usually not a
question of "can they be educated with good docs" but "how do I find them all"?
Sounds like a never ending battle.

> after all, it says nothing about incoming traffic with the DF bit or outgoing
> ICMP messages, which is usually where the problem is.

 I think these people, being close to the filter source, would experience their
own wide scale outages, leading them to investigate and fix their own network.