Hi Fernando, > -----Original Message----- > From: Fernando Gont [mailto:fg...@si6networks.com] > Sent: Wednesday, January 04, 2012 8:21 PM > To: Brian E Carpenter > Cc: Templin, Fred L; ipv6@ietf.org > Subject: Re: Fragmentation-related security issues > > On 01/04/2012 11:55 PM, Brian E Carpenter wrote: > > That's why RFC 4821 describes MTU probing hidden in the transport > > layer, where hopefully firewalls would let it be. You will > > probably look in vain for widely deployed versions of RFC 4821. > > The problem with RFC4821 (assumming the ICMP-free variant) is that it > has a longer convergnece time that ICMP-enabled PMTU.
RFC4821 works even if there are no ICMPs, but will converge more quickly if there are ICMPs. That is why RFC4821 should be a SHOULD for hosts, and generation of ICMPs should be a MUST for routers. > That's why people think of RFC4821 as a mechanism for PMTUD blackhole > detection rathern than as a repalcement for traditional PMTUD > (i.e., you > use the transport-layer probes when it looks like > tradictional PMTUD is > not working (possibly as a result of filtered ICMP error messages)). The two are complementary. RFC4821 is about the endpoints of communication working together in parallel with the network providing a best-effort service. It's just that sometimes the network best-effort service is not good enough. Fred fred.l.temp...@boeing.com > Thanks, > -- > Fernando Gont > SI6 Networks > e-mail: fg...@si6networks.com > PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 > > > > -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------