ICMPv6 "too-big" packets ignored (filtered ?) by Cloudflare farms

Tore Anderson tore at fud.no
Wed Mar 6 07:17:42 UTC 2019


* Jean-Daniel Pauget

>     I confess using IPv6 behind a 6in4 tunnel because the "Business-Class" service
>     of the concerned operator doesn't handle IPv6 yet.
> 
>     as such, I realised that, as far as I can figure, ICMPv6 packet "too-big" (rfc 4443)
>     seem to be ignored or filtered at ~60% of ClouFlare's http farms
> 
>     as a result, random sites such as http://nanog.org/ or https://www.ansible.com/
>     are badly reachable whenever small mtu are involved ...

Hi Jean-Daniel.

If you're using using tunnels you'll want to have your tunnel endpoint
adjust down the TCP MSS value to match the MTU of the tunnel interface.
That way, you'll avoid problems with Path MTU Discovery. Even in those
situations where PMTUD does work fine, doing TCP MSS adjustment will
improve performance as the server does not need to spend an RTT to
discover your reduced MTU.

(This isn't really an IPv6 issue, by the way - ISPs using PPPoE will
typically perform MSS adjustment for IPv4 packets too.)

If you're using Linux as your tunnel endpoint, try:

ip6tables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS  --clamp-mss-to-pmtu

Tore



More information about the NANOG mailing list