On Mon, Jan 20, 2014 at 11:59:39AM +0100, Tore Anderson wrote: > Or, even better, get rid of the tunneling crap and get native IPv6. This > is a very common problem for IPv6 tunnels. As a web site operator I > would actually prefer it if people stayed IPv4-only until their ISP > could provide them with properly supported IPv6 connectivity. Oh well...
Tunnels should actually work fine and icmp rate limiting should take place per destination (or on a /64 boundary). Either someone messed up their filters or we have a software bug (maybe we should just introduce a netfilter target which does mid-path fragmentation of IPv6 packets :P ). We had some pretty significant bugs in pmtud in linux which were fixed some while ago: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=e3bc10bd95d7fcc3f2ac690c6ff22833ea6781d6 https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=01ba16d6ec85a1ec4669c75513a76b61ec53ee50 But they have not yet been integrated in all the vendor's kernel. Especially on heavy loaded servers we need some way to ensure longer pmtu lifetimes in the routing table. Currently they can easily get evacuated too fast if lots of IPv6 flows hit a linux end host and should hold on at least the minimal time the administrator had configured. Greetings, Hannes