On Sun, 15 Aug 2010 19:02:50 +0200, Florian Weimer said:
* Valdis Kletnieks:
On Sun, 15 Aug 2010 18:46:49 +0200, Florian Weimer said:
And that connection that's trying to use PMTU got established across the commodity internet, how, exactly? ;)
ICMP "fragmentation needed, but DF set" messages carry the a addresses of intermediate routers which generate them (potentially in response to MTU drops) as source addresses, not the IP addresses of the peers in a connection.
If any long-haul carriers are originating ICMP packets for other people's consumption from 1918 addresses rather than addresses in their address space, it's time to name-n-shame so the rest of us can vote with our feet and checkbooks. There's no excuse for that in this day and age.
What does "originating" mean? Creating the packets? Or forwarding them?
Either way, there's no excuse. First off, remember that BCP38 and 1918 don't apply on your set of interconnected private networks, no matter how big a net it is. You want to filter between two of your private nets, go ahead. You don't want to, that's OK to. The fun starts when those packets leave your network(s) and hit the public Internet. Now that we have that squared away... Either that intermediate router originated the ICMP 'frag needed' packet, in which case somebody needs to be smacked for originating a 1918-addressed packet on the public internet, or it's forwarding the packet. And if it's forwarding the packet, then somebody *else* needs to be smacked for injecting that packet into the public internet. What *possible* use case would require a 1918-sourced packet to be traversing the public internet? We're all waiting with bated breath to hear this one. ;)