nanog mailing list archives

Re: IP tunnel MTU

From: Sander Steffann <sander () steffann nl>
Date: Tue, 30 Oct 2012 11:19:39 +0100

Hi,

Certainly fixing all the buggy host stacks, firewall and compliance devices to realize that ICMP isn't bad won't be 
hard.


Wait till you get started on "fixing" the "security" consultants.


Ack.  I've yet to come across a *device* that doesn't deal properly with "packet too big".  Lots (and lots and lots) 
of "security" people, one or two applications, but no devices.



I know of one: Juniper SSG and SRX boxes used to block IPv6 ICMP errors when the screening option 'big ICMP packets' 
was enabled because it blocked all (v4 and v6) ICMP packets bigger than 1024 bytes and IPv6 ICMP errors are often 1280 
bytes. I don't know if that has been fixed yet.

- Sander

Current thread:

Re: IP tunnel MTU, (continued)
- - - Re: IP tunnel MTU Ray Soucy (Oct 29)
    - Re: IP tunnel MTU Shahab Vahabzadeh (Oct 29)
    - Re: IP tunnel MTU William Herrin (Oct 29)
    - RE: IP tunnel MTU Templin, Fred L (Oct 29)
    - Re: IP tunnel MTU Chris Woodfield (Oct 29)
    - RE: IP tunnel MTU Templin, Fred L (Oct 30)
    - Re: IP tunnel MTU Joe Maimon (Oct 29)
    - Re: IP tunnel MTU Jared Mauch (Oct 29)
    - Re: IP tunnel MTU Tim Durack (Oct 29)
    - Re: IP tunnel MTU Tim Franklin (Oct 30)
    - Re: IP tunnel MTU Sander Steffann (Oct 30)
    - Re: IP tunnel MTU Jeroen Massar (Oct 30)
    - Re: IP tunnel MTU Joe Maimon (Oct 29)
    - Re: IP tunnel MTU Jared Mauch (Oct 29)
    - RE: IP tunnel MTU Templin, Fred L (Oct 29)
    - Re: IP tunnel MTU Masataka Ohta (Oct 29)
    - Re: IP tunnel MTU Joe Maimon (Oct 29)
    - Re: IP tunnel MTU bmanning (Oct 29)
    - Re: IP tunnel MTU Joe Maimon (Oct 29)
    - Re: IP tunnel MTU bmanning (Oct 29)
    - Re: IP tunnel MTU Joe Maimon (Oct 29)

(Thread continues...)