ICMPv6 "too-big" packets ignored (filtered ?) by Cloudflare farms
jdpauget at rezopole.net
Wed Feb 27 10:01:06 UTC 2019
I confess using IPv6 behind a 6in4 tunnel because the "Business-Class" service
of the concerned operator doesn't handle IPv6 yet.
as such, I realised that, as far as I can figure, ICMPv6 packet "too-big" (rfc 4443)
seem to be ignored or filtered at ~60% of ClouFlare's http farms
as a result, random sites such as http://nanog.org/ or https://www.ansible.com/
are badly reachable whenever small mtu are involved ...
support at cloudflare answered me that because I'm not the owner of concerned site,
and because of security reasons, they wouldn't investigate further.
are there security concerns with ICMP-too-big ?
Jean-Daniel Pauget http://rezopole.net/
Rezopole/LyonIX +33 (0)4 27 46 00 50
More information about the NANOG