ICMPv6 "too-big" packets ignored (filtered ?) by Cloudflare farms

Wed Mar 6 04:21:22 UTC 2019

> On 6 Mar 2019, at 1:36 pm, Fernando Gont <fgont at si6networks.com> wrote:
> 
> On 5/3/19 03:26, Mark Andrews wrote:
>> 
>> 
>>> On 5 Mar 2019, at 5:18 pm, Mark Tinka <mark.tinka at seacom.mu> wrote:
>>> 
>>> 
>>> 
>>> On 5/Mar/19 00:25, Mark Andrews wrote:
>>> 
>>>> 
>>>> Then Cloudflare should negotiate MSS’s that don’t generate PTB’s if
>>>> they have installed broken ECMP devices.  The simplest way to do that
>>>> is to set the interface MTUs to 1280 on all the servers.  Why should
>>>> the rest of the world have to put up with their inability to purchase
>>>> devices that work with RFC compliant data streams.
>>> 
>>> I've had this issue with cdnjs.cloudflare.com for the longest time at my
>>> house. But as some of you may recall, my little unwanted TCP MSS hack
>>> for IPv6 last weekend fixed that issue for me.
>>> 
>>> Not ideal, and I so wish IPv6 would work as designed, but…
>> 
>> It does work as designed except when crap middleware is added.  ECMP
>> should be using the flow label with IPv6.  It has the advantage that
>> it works for non-0-offset fragments as well as 0-offset fragments and
>> also works for transports other than TCP and UDP.  This isn’t a protocol
>> failure.  It is shitty implementations.
> 
> Not to play devil's advocate but the IETF fot to publish a spec for ECMP
> use of Flow Labels only a few years ago.
> 
> For quite a while, they were unasable... and might still be, for some
> implementations.

And if it is still using the quintuple the PTB has all the necessary information
for unfragmented and 0 offset fragment packets (which there shouldn’t be with a
working TCP stack) to be passed through.

> -- 
> Fernando Gont
> SI6 Networks
> e-mail: fgont at si6networks.com
> PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org