Subject: Re: Patch for timiting TCP MSS (i.e. for new PPPoE)
To: der Mouse <mouse@Rodents.Montreal.QC.CA>
From: Rick Byers <>
List: current-users
Date: 12/04/2001 09:55:36
> > Broken networks will allways require ugly hacks to work around their
> > problems.
> No; better to break them as widely as possible to get them fixed.
> Working around their problems only removes their incentive to fix them.

I whole heartadly agree - in theory.  But unfortunantly its too late for
anyone here to break theese networks widely enough for them to care.
Maybe someone like Microsoft could do it (apparently MS chose not to
include MSS clamping in their XP PPPoE software), but even that would be
hard - people are already lowering their MTUs or abandoing MS RASPPPoE in
favour of one with MSS clamping.  But NetBSD is too insignificant from the
web site operator's point of view.  As far as Bank of Montreal was
concerned, I was just an individual with an isolated problem due to an
obscure setup.  They essentially told me that they weren't going to change
their network, no matter how broken it was, because the risk of any
configuration change at all outweighs one unhappy customer.

I respect the idealism of such a position, but its hard to stick with it
when it means loosing access to 5% of web sites, including my banks
on-line banking.  If NetBSD sticks with no MSS clamping option, it will
hurt the users much more than help solve the problem.

Instead, someone should start some kind of awareness/advocy group which
can act as a combined voice to get theese sorts of problems fixed.  It
would be really cool if NetBSD could auto-detect blackholed sites and add
the IPs a local list of broken hosts, which would get submitted to an
advocy site for automatic testing, public listing, and notification
e-mails.  I think such a complex system could help significantly, but
it'll never eliminate the need for a work around.  Look at the
history of open-relays.  Some sites STILL refuse to close their mail
relays, even though millions of people now block all e-mail from them.
While we wait for incompentant network admins to get a clue, either WE
suffer, or we swallow our pride and implement (temporary) work-arounds.