In message <CADb+6TAqqYc2yLUGV7n4Qiioq8qasriNsBtCRNNvB2K1A-t1rw@mail.gmail.com> , Joel Maslak writes:
On Wed, Mar 9, 2016 at 9:27 AM, joel jaeggli <joelja@bogus.com> wrote:
PMTU blackhole detection implemented in all hosts. IPv4 is lost cause in
my opinion (although it's strange how many hosts that seem to get away with 1492 (or is it 1496) MTU because they're using PPPoE).
if your adv_mss is set accordingly you can get away with a lot.
At least for TCP. EDNS with sizes > 14xx bytes just plain doesn't universally work across the internet, yet it's the default everywhere.
If you fix your own firewall to accept fragmented packets EDNS basically works. Over the years I've see a couple of sites which can't emit fragmented EDNS but they are few and far between. Firewall vendors could also do the correct thing and support installing slits as well as than pinholes when generating reply traffic acceptance rules on the fly. They could be honest and acknowledge that legitimate reply traffic includes packet fragments and build their boxes to support it. Outbound allow proto udp from any to any 53 keep-state permit-frags could generate allow proto udp from dst 53 to src src-port and allow proto udp from dst to src frag offset != 0 You still have the protocol and the source and destination addresses. You also don't allow full packets to reassemble via the slit rule. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org