On Wed, May 13, 2020 at 11:58 AM Brielle <bruns@2mbit.com> wrote:
One thing that cropped up in my mind from the late 90s and AFAIK still goes on today - isn't it pretty well documented that more then a small number of 'professional' firewalls have a habit of just outright discarding/rejecting/barfing on packets with options in them that they don't recognize?
Hi Brielle, That's not the half of it. Pull very hard on that thread and you'll quickly find your way in to the PMTUD problem. Path MTU discovery is the one place in the IP architecture which abandons the end-to-end principle. If an intermediate device fails to communicate to the sender that it's packet is too large for a hop, TCP between the sender and receiver fails. In practice this happens a lot and for many, many reasons. It's a very broken design. Operationally, we address this with all sorts of tricks like assuring the MTU on a link always supports a 1500 byte packet and rewriting the TCP MSS option in TCP SYN packets whenever we know it won't. None of these is a 100% solution so we still regularly field failure reports where a user successfully connects to a service but no data is transferred. Dig in to how Amazon AWS deals with EC2 instances with a 9000 byte MTU talking with the Internet some time. The MSS gets chopped in TCP and AWS generates a local frag needed message for UDP. Regards, Bill Herrin -- William Herrin bill@herrin.us https://bill.herrin.us/