Greetings all, I'm working with a few folks on firewall and IDS rules that will flag suspicious fragmented traffic. I know the legal minimum of a non-terminal fragment is 28 bytes, but given non-terminals should reflect the MTU of the topologies along the link, this number is far lower than what I expect you should see for legitimate fragmentation in the wild. A few years back I noted some 512-536 MTU links in ASIA. I've been doing some testing and can't seem to find them anymore. Is is safe to assume that 99.9% of the Internet is running on 1500 MTU or higher these days? I know some people artificially set their end point MTU a bit lower (like 1400) to deal with things like having their traffic encapsulated by GRE or IPSec. With this in mind, would we be safe to flag/drop/what ever all fragments smaller than 1200 bytes that are not last fragments (i.e., more fragments is still set)? Does anyone maintain, or is aware, of links that would not meet this 1200 MTU? Any and all feedback would be greatly appreciated, C