On 31 Jul 2022, at 20:53, Paul Vixie wrote:
Andrew McConachie wrote on 2022-07-28 03:24:
Path MTU discovery remains widely undeployed due to
security issues, and IP fragmentation has exposed weaknesses in
application protocols.
PMTUD doesn’t work through NAT and that’s probably the main
reason why it doesn’t work on the Internet. I think that’s less
of a security issue than just a general issue with PMTUD not working
on the modern Internet.
path mtu discovery has been significantly rethought in the modern
internet:
https://www.rfc-editor.org/rfc/rfc8899.html
apparently, it sometimes works:
https://developers.redhat.com/articles/2022/05/23/plpmtud-delivers-better-path-mtu-discovery-sctp-linux
see also:
<<This new algorithm does not rely on ICMP or other messages from the
network (so it is not subject to the problems described in RFC2923).
Instead it finds the proper MTU by starting with relatively small
packets and searching upwards by probing with test packets.>>
https://datatracker.ietf.org/wg/plpmtud/about/
i suggest further reading and perhaps reconsideration. we've got to
break out of the MTU 1500 jail some day or the internet will end in
header processing related heat death. some work is being done and some
results are already known. we should be open to the possibility of
improvement.
I apologize for derailing this conversation by bringing up NAT. My point
was that the document makes a claim that PMTUD ‘remains widely
undeployed due to security issues’. Yet it makes no reference to
anything that might back up that claim. I would suggest the document not
make any claim as to why PMTUD remains widely undeployed. If it must
make such a claim then there should be some supporting evidence for it.
—Andrew
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop