ICMPv6 "too-big" packets ignored (filtered ?) by Cloudflare farms
Jean-Daniel Pauget
jdpauget at rezopole.net
Fri Mar 8 12:51:27 UTC 2019
hello,
Tore Anderson, you're right, clamping MSS is very efficient and very
certainly solves most of the problems.
now for UDP, I don't know yet how does things like QUIC can be handled ...
regards,
--
Jean-Daniel Pauget http://rezopole.net/
Rezopole/LyonIX +33 (0)4 27 46 00 50
On Wed, Mar 06, 2019 at 08:17:42AM +0100, Tore Anderson wrote:
> * Jean-Daniel Pauget
>
> > I confess using IPv6 behind a 6in4 tunnel because the "Business-Class" service
> > of the concerned operator doesn't handle IPv6 yet.
> >
> > as such, I realised that, as far as I can figure, ICMPv6 packet "too-big" (rfc 4443)
> > seem to be ignored or filtered at ~60% of ClouFlare's http farms
> >
> > as a result, random sites such as http://nanog.org/ or https://www.ansible.com/
> > are badly reachable whenever small mtu are involved ...
>
> Hi Jean-Daniel.
>
> If you're using using tunnels you'll want to have your tunnel endpoint
> adjust down the TCP MSS value to match the MTU of the tunnel interface.
> That way, you'll avoid problems with Path MTU Discovery. Even in those
> situations where PMTUD does work fine, doing TCP MSS adjustment will
> improve performance as the server does not need to spend an RTT to
> discover your reduced MTU.
>
> (This isn't really an IPv6 issue, by the way - ISPs using PPPoE will
> typically perform MSS adjustment for IPv4 packets too.)
>
> If you're using Linux as your tunnel endpoint, try:
>
> ip6tables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
>
> Tore
More information about the NANOG
mailing list