RIPE NCC Executive Board election

• Previous message (by thread): RIPE NCC Executive Board election
• Next message (by thread): RIPE NCC Executive Board election
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, May 13, 2020 at 11:58 AM Brielle <bruns at 2mbit.com> wrote:
> One thing that cropped up in my mind from the late 90s and AFAIK still
> goes on today - isn't it pretty well documented that more then a small
> number of 'professional' firewalls have a habit of just outright
> discarding/rejecting/barfing on packets with options in them that they
> don't recognize?

Hi Brielle,

That's not the half of it. Pull very hard on that thread and you'll
quickly find your way in to the PMTUD problem.

Path MTU discovery is the one place in the IP architecture which
abandons the end-to-end principle. If an intermediate device fails to
communicate to the sender that it's packet is too large for a hop, TCP
between the sender and receiver fails. In practice this happens a lot
and for many, many reasons. It's a very broken design.

Operationally, we address this with all sorts of tricks like assuring
the MTU on a link always supports a 1500 byte packet and rewriting the
TCP MSS option in TCP SYN packets whenever we know it won't. None of
these is a 100% solution so we still regularly field failure reports
where a user successfully connects to a service but no data is
transferred.

Dig in to how Amazon AWS deals with EC2 instances with a 9000 byte MTU
talking with the Internet some time. The MSS gets chopped in TCP and
AWS generates a local frag needed message for UDP.

Regards,
Bill Herrin


-- 
William Herrin
bill at herrin.us
https://bill.herrin.us/

• Previous message (by thread): RIPE NCC Executive Board election
• Next message (by thread): RIPE NCC Executive Board election
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]