[188246] in North American Network Operators' Group
Re: Internet Exchanges supporting jumbo frames?
daemon@ATHENA.MIT.EDU (Mark Andrews)
Sat Mar 12 16:28:38 2016
X-Original-To: nanog@nanog.org
To: Joel Maslak <jmaslak@antelope.net>
From: Mark Andrews <marka@isc.org>
In-reply-to: Your message of "Thu, 10 Mar 2016 07:58:29 -0700."
<CADb+6TAqqYc2yLUGV7n4Qiioq8qasriNsBtCRNNvB2K1A-t1rw@mail.gmail.com>
Date: Sun, 13 Mar 2016 08:28:27 +1100
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
In message <CADb+6TAqqYc2yLUGV7n4Qiioq8qasriNsBtCRNNvB2K1A-t1rw@mail.gmail.com>
, Joel Maslak writes:
> On Wed, Mar 9, 2016 at 9:27 AM, joel jaeggli <joelja@bogus.com> wrote:
>
> > PMTU blackhole detection implemented in all hosts. IPv4 is lost cause in
> > > my opinion (although it's strange how many hosts that seem to get away
> > > with 1492 (or is it 1496) MTU because they're using PPPoE).
> >
> > if your adv_mss is set accordingly you can get away with
> > a lot.
> >
>
> At least for TCP. EDNS with sizes > 14xx bytes just plain doesn't
> universally work across the internet, yet it's the default everywhere.
If you fix your own firewall to accept fragmented packets EDNS
basically works. Over the years I've see a couple of sites which
can't emit fragmented EDNS but they are few and far between.
Firewall vendors could also do the correct thing and support
installing slits as well as than pinholes when generating reply
traffic acceptance rules on the fly. They could be honest and
acknowledge that legitimate reply traffic includes packet fragments
and build their boxes to support it.
Outbound
allow proto udp from any to any 53 keep-state permit-frags
could generate
allow proto udp from dst 53 to src src-port
and
allow proto udp from dst to src frag offset != 0
You still have the protocol and the source and destination addresses.
You also don't allow full packets to reassemble via the slit rule.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
