On 2012-01-05 11:50, Templin, Fred L wrote:
>
>
>> -----Original Message-----
>> From: Fernando Gont [mailto:fg...@si6networks.com]
>> Sent: Wednesday, January 04, 2012 2:22 PM
>> To: Templin, Fred L
>> Cc: Brian E Carpenter; ipv6@ietf.org
>> Subject: Re: Fragmentation-related security issues
>>
>> On 01/04/2012 07:06 PM, Templin, Fred L wrote:
>>>> I see no reason to expect that PMTUD will be more reliable for
>>>> IPv6 than for IPv4.
>>> I think a lot is now hinging on the assumption that
>>> PMTUD for IPv6 works. Unlike the situation for IPv4,
>>> I see no reason to expect that PMTUD for IPv6 will
>>> be unreliable.
>> It has been found to break, already -- as a result of firewalls
>> filtering ICMPv6 messages, are some intermediate systems with
>> inappropriate rate limiting for all ICMPv6 traffic.
>
> If IPv6 PMTUD breaks, it is due to violations of the specs.
> If IPv6 PMTUD breaks, then we are lost - time to give up
> and design a different protocol?
The point is that paranoid firewalls will turn this into an
arms race - if they are paranoid enough to block ICMP PTB,
which apparently many are, why wouldn't they block any other
signalling mechanism - especially a new one?
That's why RFC 4821 describes MTU probing hidden in the transport
layer, where hopefully firewalls would let it be. You will
probably look in vain for widely deployed versions of RFC 4821.
Brian
--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6@ietf.org
Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------
