tech-net: Re: Default value of net.inet.ipsec.dfbit breaks PMTU over IPsec

Subject: Re: Default value of net.inet.ipsec.dfbit breaks PMTU over IPsec
To: Jason Thorpe <thorpej@wasabisystems.com>
From: Michael Hertrick <m.hertrick@neovera.com>
List: tech-net
Date: 05/28/2004 12:43:43

Jason Thorpe wrote:

>
> On May 28, 2004, at 7:08 AM, Michael Hertrick wrote:
>
>> In the interest of security, specifically the risk of DoS (both 
>> intentional and not), I'd like to see the DF bit set by default.
>
>
> Set?  Or copied from the original packet?
>
> I think it should be copied from the original.

You're probably right for the sake of compatibility with non-PMTUD 
hosts, but if it is copied from the original then one is leaving the 
decision up to the untrustworthy end-user/system.

What do you think about a default setting of '3'?  '3' being "Drop all 
packets until the administrator sets the value to 0, 1, or 2."

~Mike