RIPE NCC Executive Board election

William Herrin bill at
Wed May 13 19:14:10 UTC 2020

On Wed, May 13, 2020 at 11:58 AM Brielle <bruns at> wrote:
> One thing that cropped up in my mind from the late 90s and AFAIK still
> goes on today - isn't it pretty well documented that more then a small
> number of 'professional' firewalls have a habit of just outright
> discarding/rejecting/barfing on packets with options in them that they
> don't recognize?

Hi Brielle,

That's not the half of it. Pull very hard on that thread and you'll
quickly find your way in to the PMTUD problem.

Path MTU discovery is the one place in the IP architecture which
abandons the end-to-end principle. If an intermediate device fails to
communicate to the sender that it's packet is too large for a hop, TCP
between the sender and receiver fails. In practice this happens a lot
and for many, many reasons. It's a very broken design.

Operationally, we address this with all sorts of tricks like assuring
the MTU on a link always supports a 1500 byte packet and rewriting the
TCP MSS option in TCP SYN packets whenever we know it won't. None of
these is a 100% solution so we still regularly field failure reports
where a user successfully connects to a service but no data is

Dig in to how Amazon AWS deals with EC2 instances with a 9000 byte MTU
talking with the Internet some time. The MSS gets chopped in TCP and
AWS generates a local frag needed message for UDP.

Bill Herrin

William Herrin
bill at

More information about the NANOG mailing list