hello, Tore Anderson, you're right, clamping MSS is very efficient and very certainly solves most of the problems.
now for UDP, I don't know yet how does things like QUIC can be handled ... regards, -- Jean-Daniel Pauget http://rezopole.net/ Rezopole/LyonIX +33 (0)4 27 46 00 50 On Wed, Mar 06, 2019 at 08:17:42AM +0100, Tore Anderson wrote: > * Jean-Daniel Pauget > > > I confess using IPv6 behind a 6in4 tunnel because the "Business-Class" > > service > > of the concerned operator doesn't handle IPv6 yet. > > > > as such, I realised that, as far as I can figure, ICMPv6 packet > > "too-big" (rfc 4443) > > seem to be ignored or filtered at ~60% of ClouFlare's http farms > > > > as a result, random sites such as http://nanog.org/ or > > https://www.ansible.com/ > > are badly reachable whenever small mtu are involved ... > > Hi Jean-Daniel. > > If you're using using tunnels you'll want to have your tunnel endpoint > adjust down the TCP MSS value to match the MTU of the tunnel interface. > That way, you'll avoid problems with Path MTU Discovery. Even in those > situations where PMTUD does work fine, doing TCP MSS adjustment will > improve performance as the server does not need to spend an RTT to > discover your reduced MTU. > > (This isn't really an IPv6 issue, by the way - ISPs using PPPoE will > typically perform MSS adjustment for IPv4 packets too.) > > If you're using Linux as your tunnel endpoint, try: > > ip6tables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS > --clamp-mss-to-pmtu > > Tore