> -----Original Message----- > From: ipv6-boun...@ietf.org [mailto:ipv6-boun...@ietf.org] On > Behalf Of RJ Atkinson > Sent: Wednesday, January 04, 2012 10:47 AM > To: ipv6@ietf.org > Subject: Re: Fragmentation-related security issues > > > On 04 Jan 2012, at 10:24 , Philip Homburg wrote: > > Yes, but PMTU failures are not a protocol issue. > > Is it is an operational issue. So when the IPv6 > > network is just a bunch of techies who are connected by > > tunnels, you expect PMTU to sort of work. > > I didn't expect it to work, given the history of PMTU > in the deployed Internet. When it does work, PMTU is > wonderful. It has not been reliable for IPv4 either. > > > By the time the internet is big is enough that some > > routers just send ICMPs with link local source and > > nobody notices, then PMTU starts to break down. > > We have long standing experience with PMTU. It hasn't > been completely reliable for IPv4. It is no surprise > that it is not completely reliable for IPv6 either. > > > I'm sure you know about the small difference between IPv4 and IPv6 > > when it comes to fragmentation. For IPv4, if a DNS server need > > to send a, say, 1000 octet reply then it can just send it. > > If necessary, routers on the way will fragment the reply. > > Actually, IPv4 routers generally won't fragment the reply > for too-big IPv4 packets -- not even if the DF bit allows > them to do so. Most deployed IPv4 transit routers > disabled all router fragmentation of IPv4 packets > years ago.
"Most deployed IPv4 transit routers disabled all router fragmentation of IPv4 packets years ago." Are you sure about that? Because, I have had at least one person from a major router vendor tell me that router fragmentation is well supported in their products. Disabling router fragmentation for DF=0 packets seems risky; too many things could break. Fred fred.l.temp...@boeing.com > My understanding is that existing DNS servers often > choose to send less-than-MTU sized DNS replies > in part because of issues with IPv4 PMTU. So, again, > this situation is not new with IPv6. > > > On the other hand, for IPv6, a DNS server will have > > to fragment at the lowest common denominator. So making > > the minimum link MTU 576, will cause a lot more IPv6 > > fragments then you would get for IPv4. And makes IPv6 > > quite a bit worse than IPv4. > > That does not sound identical with other folks' analysis > about DNS. For example, that isn't identical with what > Mark Andrews has said. > > > If you follow this to the logical conclusion, then with the > > IPv6-IPv4 translators, a DNS server has to add a fragmentation > > header to every DNS reply, even the small ones. > > That does seem consistent with what other folks concerned > about DNS have already noted. > > > Well, you can always tunnel IPv6 over IPv4. Problem solved :-) > > If there were infinite bandwidth, it would be. Sadly, > RF links with smaller MTUs generally are also relatively > low data rate -- mostly visibly lower data rate than > Ethernet. > > Yours, > > Ran > > > -------------------------------------------------------------------- > IETF IPv6 working group mailing list > ipv6@ietf.org > Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 > -------------------------------------------------------------------- > -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------