On Jan 18, 2018, at 4:32 PM, William Herrin <bill@herrin.us> wrote:
On Thu, Jan 18, 2018 at 7:14 PM, Jared Mauch <jared@puck.nether.net> wrote:
lets say i can send you a 9K packet. If you receive that frame, and realize you need to fragment, then it’s your routers job to slice 9000 into 5 x 1500.
In practice, no, because the packet you sent had the "don't fragment" bit set. That means my router is not allowed to fragment the packet. Instead, I must send the originating host an ICMP destination unreachable packet stating that the largest packet I can send further is 1500 bytes.
You might receive my ICMP message. You might not. After all, I am not the host you were looking for.
This gets especially bad in cases such as anycast where the return path may be asymmetrical and could result in delivery of the ICMP PTB message to a different anycast instance or to a stateless load balancer that is incapable of determining which machine originated the packet being referenced. One of the many reasons I continue to question the wisdom of using anycast for multi-packet transactions. Owen
Good luck.
Regards, Bill Herrin
P.S. This makes Linux servers happy:
iptables -t mangle --insert POSTROUTING --proto tcp \ --tcp-flags SYN,RST,FIN SYN --match tcpmss --mss 1241:65535 \ --jump TCPMSS --set-mss 1240
-- William Herrin ................ herrin@dirtside.com bill@herrin.us Dirtside Systems ......... Web: <http://www.dirtside.com/>