MTU path discovery and IPSec

Owen DeLong owen at delong.com
Wed Dec 3 23:32:43 UTC 2003


--On Wednesday, December 3, 2003 11:39 AM -0500 Valdis.Kletnieks at vt.edu 
wrote:

> On Wed, 03 Dec 2003 16:05:39 GMT, jgraun at comcast.net  said:
>
>> 1) I assume MTU path discovery has to been in enabled on each router in
>> the path in order for it work correctly?!
>
> Actually, no.  All that's required is that:
>
> a) The router handle the case of a too-large packet with the DF bit set by
> sending back an ICMP 'Dest Unreachable - Frag Needed' packet.  I've never
> actually encountered a router that didn't get this part right. (Has
> anybody ever seen a router botch this, *other* than a config error
> covered in (b) below?)
>
When you consider that most firewalls are technically routers (albeit
somewhat pathological routers), yes... Many firewalls fail to send back
the ICMP and silently drop the DF packet.

> b) said ICMP makes it back to the originating machine.  This is where all
> the operational breakage I've ever seen on PMTU Discovery comes from. And
> in almost all cases, one of two things is at fault.  Either some bonehead
> firewall admin is "blocking all ICMP for security" (fixable by
> reconfiguring the firewall to let ICMP Frag Needed error messages
> through), or some bonehead network provider numbered their
> point-to-points from 1918 space and the ICMP gets ingress/egress filtered
> (this one is usually not fixable except with a baseball bat).
>

Yep... Those are definitely the most common PMTU-D problems.

Owen



-- 
If it wasn't crypto-signed, it probably didn't come from me.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 186 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20031203/c1660855/attachment.sig>


More information about the NANOG mailing list