[157593] in North American Network Operators' Group
Re: IP tunnel MTU
daemon@ATHENA.MIT.EDU (Sander Steffann)
Tue Oct 30 06:19:50 2012
From: Sander Steffann <sander@steffann.nl>
In-Reply-To: <f19ba348-e2d3-4f5a-ad2e-4a0c609d5257@mail.pelican.org>
Date: Tue, 30 Oct 2012 11:19:39 +0100
To: Tim Franklin <tim@pelican.org>
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Hi,
>>> Certainly fixing all the buggy host stacks, firewall and compliance =
devices to realize that ICMP isn't bad won't be hard.
>>=20
>> Wait till you get started on "fixing" the "security" consultants.
>=20
> Ack. I've yet to come across a *device* that doesn't deal properly =
with "packet too big". Lots (and lots and lots) of "security" people, =
one or two applications, but no devices.
I know of one: Juniper SSG and SRX boxes used to block IPv6 ICMP errors =
when the screening option 'big ICMP packets' was enabled because it =
blocked all (v4 and v6) ICMP packets bigger than 1024 bytes and IPv6 =
ICMP errors are often 1280 bytes. I don't know if that has been fixed =
yet.
- Sander
