IP tunnel MTU

Sander Steffann sander at steffann.nl
Tue Oct 30 10:19:39 UTC 2012


>>> Certainly fixing all the buggy host stacks, firewall and compliance devices to realize that ICMP isn't bad won't be hard.
>> Wait till you get started on "fixing" the "security" consultants.
> Ack.  I've yet to come across a *device* that doesn't deal properly with "packet too big".  Lots (and lots and lots) of "security" people, one or two applications, but no devices.

I know of one: Juniper SSG and SRX boxes used to block IPv6 ICMP errors when the screening option 'big ICMP packets' was enabled because it blocked all (v4 and v6) ICMP packets bigger than 1024 bytes and IPv6 ICMP errors are often 1280 bytes. I don't know if that has been fixed yet.

- Sander

More information about the NANOG mailing list