On 25.12.2025 10:28 William Herrin <bill@herrin.us> wrote:
It depends on the price. When you're trying to minimize the price of your service, IPv4 addresses have become one of the expenses you can tweak.
I agree on CGNAT (or other forms of NAT) for IPv4, but not IPv6.
- TCP MSS - MSS Clamping all connections
- TCP MSS - MSS Clamping, but you instead (accidentally?) set MSS to your desired value even if it was lower before
This is crap. ICMP exists for this and also works for UDP.
With due respect, it's no secret that PMTUD on the Internet is broken. There are just too many ways for that ICMP packet from the middle box to get lost and not all of them are a result of ignorant configuration. PMTUD is one of the very few places that IPv4's designers broke with the end-to-end principle and it shows.
IPv4 is indeed nasty because if the DF bit is not set, a router might fragment and the receiver might not handle that properly. Everything else is handled by ICMP. If people are blocking that, it is their fault.
If you know you're transiting a link with an MTU below 1500, reliable use means clamping the MSS. Sorry, but that's how it is these days.
If that fixed the problem, it is still broken and everything else (like UDP) is broken.
- Related to above - Network accepts TCP connection which it will intercept (sends SYN/ACK to user) before it confirms that the destination is reachable
Are you a crappy ISP that really needs to do this?
Geostationary satellite. You HAVE to do things to speed up TCP or the customer feels the pain.
If the customer agrees to that - fine. But as a customer I want to know what interception is being done.
- Dropping/resetting port 80 sessions that don't ‘look like’ HTTP
- Dropping/resetting port 443 sessions that don't ‘look like’ TLS
Can you please stop interfering connections? You are an ISP and people pay your for transferring the data they requested.
This is usually done by enterprises rather than ISPs. Except when the DDOS mitigation service is active. Then they're quite pointedly filtering out non-standard traffic.
Enterprises are not ISPs for normal situations. I do filter stuff too in certain parts of my network, but I can decide myself what to filter, rather than my ISP. -- kind regards Marco Send spam to abfall1766654886@stinkedores.dorfdsl.de