>>>>> "Greg" == Greg A Woods <woods@most.weird.com> writes:
    Greg> *Something* needs to be done since it's clear that there will be
    Greg> ongoing problems with broken PMTUD.  Either the protocol needs
    Greg> fixing (and I admit I've not yet read the RFCs to see if the

  The protocol is really fine. The problem is that most firewall people,
and an awful lot of NAT/VPN people think that ICMP is a protocol in the
same sense that UDP/TCP is. It isn't. It is rather part of the infrastructure
that TCP and UDP sites upon. Firewall vendors who implement "TCP/IP" must
deal with ICMP issues, or they really aren't supporting "IP" properly.
  See
  http://www.sandelman.ottawa.on.ca/SSW/ietf/draft-richardson-ipsec-pmtu-discovery-00.txt (long since expired from the ID directory)

    Greg> end.  That means either breaking PMTUD by always ignoring the DF
    Greg> bit, or finding some way of ignoring the DF bit after PMTUD has
    Greg> failed to get the packet size down as necessary.

  My suggestion as a temporary fix is to generate the ICMP when DF is set,
but to optionally fragment anyway. This should be off by default, and should
be sysctl'able.

    Greg> If indeed PMTUD is not robust as designed then "we" also should be
    Greg> putting forward proposals to get it fixed at the RFC level.

  Convincing firewall vendor's of this will probably require a rev to the
PMTU document. It may even fit into tcpimpl's mandate.

   :!mcr!:            |  Network and security consulting/contract programming
   Michael Richardson |         Firewalls, TCP/IP and Unix administration
 Personal: http://www.sandelman.ottawa.on.ca/People/Michael_Richardson/Bio.html
 Corporate: http://www.sandelman.ottawa.on.ca/SSW/
	ON HUMILITY: To err is human, to moo bovine.