nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: RIPE NCC Executive Board election

From: William Herrin <bill () herrin us>
Date: Wed, 13 May 2020 12:14:10 -0700
On Wed, May 13, 2020 at 11:58 AM Brielle <bruns () 2mbit com> wrote:

One thing that cropped up in my mind from the late 90s and AFAIK still
goes on today - isn't it pretty well documented that more then a small
number of 'professional' firewalls have a habit of just outright
discarding/rejecting/barfing on packets with options in them that they
don't recognize?


Hi Brielle,

That's not the half of it. Pull very hard on that thread and you'll
quickly find your way in to the PMTUD problem.

Path MTU discovery is the one place in the IP architecture which
abandons the end-to-end principle. If an intermediate device fails to
communicate to the sender that it's packet is too large for a hop, TCP
between the sender and receiver fails. In practice this happens a lot
and for many, many reasons. It's a very broken design.

Operationally, we address this with all sorts of tricks like assuring
the MTU on a link always supports a 1500 byte packet and rewriting the
TCP MSS option in TCP SYN packets whenever we know it won't. None of
these is a 100% solution so we still regularly field failure reports
where a user successfully connects to a service but no data is
transferred.

Dig in to how Amazon AWS deals with EC2 instances with a 9000 byte MTU
talking with the Internet some time. The MSS gets chopped in TCP and
AWS generates a local frag needed message for UDP.

Regards,
Bill Herrin


-- 
William Herrin
bill () herrin us
https://bill.herrin.us/
Previous By Date Next
Previous By Thread Next

Current thread: