Re: The IPv4 Internet MTU

[Iljitsch van Beijnum <iljitsch@muada.com>]

On 12-okt-2007, at 19:02, james woodyatt wrote:

> I have a radical proposal: how about we tell the stateful packet  
> filter users that it's their own damned fault if their filters  
> break their favorite applications, and that they can either fix  
> their broken filters or they can turn them off?

We can't; they'd filter the message.  :-)

> PMTUD for IPv4/UDP could work just fine through NAT if the state  
> matching and translation code isn't totally broken.  The problem we  
> are discussing here is in the wetware of the coders who write the  
> NAT and stateful packet filter implementations.  It's their problem  
> if applications don't work because their filters don't pass ICMP  
> through for corresponding UDP state-- *not* ours.

Good rant.

At some point, when people insist on breaking stuff, you have to stop  
glueing them back together.

What I find utterly infuriating about the whole PMTUD issue is that  
people still set the DF bit and then proceed to filter the too big  
messages. You can do either if you like, just not both at the same time.

That said, the problem is so widespread that it makes sense to work  
around it. Also, the IETF is at fault for adopting such a fragile  
protocol. Setting the DF bit on 1 in 10 packets would give almost  
identical results when everything works but only cause some slowdown  
when they don't. You can't build a protocol that completely fails if  
a third party not under your control doesn't do what you expect them  
to do.

I really like what we came up with in shim6: the signalling and data  
packets all share the same protocol number. So people either filter  
all shim6 packets, in which case they won't be able to run shim6 but  
there are no other ill effects, or they let the shim6 packets through  
and it works.