On 2012-01-05 11:50, Templin, Fred L wrote: > > >> -----Original Message----- >> From: Fernando Gont [mailto:fg...@si6networks.com] >> Sent: Wednesday, January 04, 2012 2:22 PM >> To: Templin, Fred L >> Cc: Brian E Carpenter; ipv6@ietf.org >> Subject: Re: Fragmentation-related security issues >> >> On 01/04/2012 07:06 PM, Templin, Fred L wrote: >>>> I see no reason to expect that PMTUD will be more reliable for >>>> IPv6 than for IPv4. >>> I think a lot is now hinging on the assumption that >>> PMTUD for IPv6 works. Unlike the situation for IPv4, >>> I see no reason to expect that PMTUD for IPv6 will >>> be unreliable. >> It has been found to break, already -- as a result of firewalls >> filtering ICMPv6 messages, are some intermediate systems with >> inappropriate rate limiting for all ICMPv6 traffic. > > If IPv6 PMTUD breaks, it is due to violations of the specs. > If IPv6 PMTUD breaks, then we are lost - time to give up > and design a different protocol?
The point is that paranoid firewalls will turn this into an arms race - if they are paranoid enough to block ICMP PTB, which apparently many are, why wouldn't they block any other signalling mechanism - especially a new one? That's why RFC 4821 describes MTU probing hidden in the transport layer, where hopefully firewalls would let it be. You will probably look in vain for widely deployed versions of RFC 4821. Brian -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------