Greeting Sten,
I'm a little worried about a couple of the things you've said:
1. "It is more common to block icmp messages about reassembly problems than
DF problems IF a message is generated in the first place."
I think that's crap. Most firewalls DO correctly and statefully accept the
ICMP messages for existing sockets. ipf and pf do, but I'm not sure about
IPFW2, but I'd be surprised if it didn't. I'd also be surprised if iptables
in linux land didn't track the ICMP. Most commercial firewalls, like
Netscreen, Checkpoint, PIX, all do also.
2. "Consider a client connected to an isp's network(1). The isp drops all
ICMP packets. That network is then connected to a third network(2) which
has a data path that has an MTU of 1400 bytes but also mangles tcp mss
to 1360, udp packets must get fragmented. On server size the firewall
must reassemble all udp fragments before passing them on to server."
If your ISP doesn't understand the importance of ICMP and they just drop it,
change ISPs. ICMP is critical to efficient TCP, and your whole thread is
about getting that ability for UDP. If you ISP does drop ICMP then the
don't defragment option will just result in packets disappearing anyway.
Regards,
Dave Seddon
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
