MTU path discovery and IPSec

Owen DeLong owen at
Wed Dec 3 23:32:43 UTC 2003

--On Wednesday, December 3, 2003 11:39 AM -0500 Valdis.Kletnieks at 

> On Wed, 03 Dec 2003 16:05:39 GMT, jgraun at  said:
>> 1) I assume MTU path discovery has to been in enabled on each router in
>> the path in order for it work correctly?!
> Actually, no.  All that's required is that:
> a) The router handle the case of a too-large packet with the DF bit set by
> sending back an ICMP 'Dest Unreachable - Frag Needed' packet.  I've never
> actually encountered a router that didn't get this part right. (Has
> anybody ever seen a router botch this, *other* than a config error
> covered in (b) below?)
When you consider that most firewalls are technically routers (albeit
somewhat pathological routers), yes... Many firewalls fail to send back
the ICMP and silently drop the DF packet.

> b) said ICMP makes it back to the originating machine.  This is where all
> the operational breakage I've ever seen on PMTU Discovery comes from. And
> in almost all cases, one of two things is at fault.  Either some bonehead
> firewall admin is "blocking all ICMP for security" (fixable by
> reconfiguring the firewall to let ICMP Frag Needed error messages
> through), or some bonehead network provider numbered their
> point-to-points from 1918 space and the ICMP gets ingress/egress filtered
> (this one is usually not fixable except with a baseball bat).

Yep... Those are definitely the most common PMTU-D problems.


If it wasn't crypto-signed, it probably didn't come from me.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 186 bytes
Desc: not available
URL: <>

More information about the NANOG mailing list