Andrew McConachie wrote on 2022-07-28 03:24:
Path MTU discovery remains widely undeployed due to
security issues, and IP fragmentation has exposed weaknesses in
application protocols.
PMTUD doesn’t work through NAT and that’s probably the main reason why
it doesn’t work on the Internet. I think that’s less of a security issue
than just a general issue with PMTUD not working on the modern Internet.
path mtu discovery has been significantly rethought in the modern internet:
https://www.rfc-editor.org/rfc/rfc8899.html
apparently, it sometimes works:
https://developers.redhat.com/articles/2022/05/23/plpmtud-delivers-better-path-mtu-discovery-sctp-linux
see also:
<<This new algorithm does not rely on ICMP or other messages from the
network (so it is not subject to the problems described in RFC2923).
Instead it finds the proper MTU by starting with relatively small
packets and searching upwards by probing with test packets.>>
https://datatracker.ietf.org/wg/plpmtud/about/
i suggest further reading and perhaps reconsideration. we've got to
break out of the MTU 1500 jail some day or the internet will end in
header processing related heat death. some work is being done and some
results are already known. we should be open to the possibility of
improvement.
--
P Vixie
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop