"Dalvenjah" you are in direct violation of the NANOG AUP. Please come into compliance by posting with your real name, as opposed to your IRC nickname, otherwise you'll be removed from the list. If we are to believe that "Dajvenjah Foxfire" is your real name, please provide proof of your legal name change, or a birth certificate, for NANOG review.
"bicknell" == Leo Bicknell <bicknell@ufp.org> writes:
bicknell> This is a new problem to me, but I'm sure people have bicknell> run into it before. Are the servers really that broken bicknell> (PMTU enabled, ICMP Can't Fragement filtered)? Does the bicknell> head end box of DSL services generally do something to bicknell> work around this (ie, clear the DF bit)? Am I just bicknell> being an idiot and missing something obvious?
I first saw this about four years ago with a web site running behind a load balancing device. It was -- and probably still is -- another issue of default configuration hell. The web servers were configured by default to do Path MTU discovery, while the load balancer had no concept of passing the ICMP Need Fragment packet back to the appropriate server.
(There may still be no good way to do this; if I remember right,
the ICMP Need Fragment packet contains only IPs and not ports; the host sending the ICMP packet will be using its IP and the outside IP of the load balancer, giving the load balancer no good way to determine where to pass the ICMP packet, unless the load balancer is guaranteeing that all data from a particular IP goes to a particular server -- also not a default configuration.)
It's a hard call for which to make the default; PMTU makes sense,
obviously, unless you're running behind a load balancer. It's another one of those things that probably isn't documented anywhere, or if it is, it's buried in an appendix that nobody gets to.
The only solution is to mail the folks maintaining the web sites you can't get to with a short explanation of what you think the problem is, and hope they look into it and fix it. Not unlike smurf relays and networks that don't filter outgoing source addresses. }:>
-dalvenjah
--
Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger https://www.hushmail.com/services.php?subloc=messenger&l=434 Big $$$ to be made with the HushMail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliate&l=427