ICMPv6 "too-big" packets ignored (filtered ?) by Cloudflare farms

Jean-Daniel Pauget jdpauget at rezopole.net
Wed Feb 27 10:01:06 UTC 2019


    I confess using IPv6 behind a 6in4 tunnel because the "Business-Class" service
    of the concerned operator doesn't handle IPv6 yet.

    as such, I realised that, as far as I can figure, ICMPv6 packet "too-big" (rfc 4443)
    seem to be ignored or filtered at ~60% of ClouFlare's http farms

    as a result, random sites such as http://nanog.org/ or https://www.ansible.com/
    are badly reachable whenever small mtu are involved ...

    support at cloudflare answered me that because I'm not the owner of concerned site,
    and because of security reasons, they wouldn't investigate further.

    are there security concerns with ICMP-too-big ?


    Jean-Daniel Pauget                         http://rezopole.net/
    Rezopole/LyonIX                            +33 (0)4 27 46 00 50

More information about the NANOG mailing list