![](https://secure.gravatar.com/avatar/7ec86a63aabc42f1bf830af9c87f09ec.jpg?s=120&d=mm&r=g)
On Aug 29, 2013, at 18:15 , Mark Andrews <marka@isc.org> wrote:
In message <a708ea6a03eb4ca7a14f5b16e4ce8dda@BN1PR03MB171.namprd03.prod.outlook .com>, Christopher Palmer writes:
This is what I'm concerned about:
""" 1. If I originate IP packet fragments, such as an 8000 byte NFS packet broken into 1500 byte fragments, what's the probability of some host before the other endpoint dropping one or all of those fragments? """
For wide area NFS I would be using TCP not UDP. If you can't use TCP you should ensure that the firewalls at both ends pass fragmented UDP packet. NFS is generally not open to the world so fragmentation and NFS is essentially a local issue. Fragments don't get routinely dropped in the core.
However, passing fragmented UDP packets has its own (undesirable) set of security implications. Of course running NFS over an unencrypted path in the wild is, well, something with additional (undesirable) set of security implications. (IOW, this should be happening inside a VPN)
Ensure that the firealls at both ends pass ICMP/ICMPv6 PTB. Only idiots block all ICMP/ICMPv6. Yes there are a lot of idiots in the world.
+1 This cannot be stressed enough. Owen