* Stuart Henderson (s...@spacehopper.org) wrote:
> On 2009-12-10, Jonas Thambert <jonas.thamb...@sitic.se> wrote:
> > Like a month ago we got a complain from a user that our website
> > was unreachable over IPv6. We have 2x Native Ipv6 transits. The user
> > had bought IPv6 from an ISP thay uses tunneling to deliver it
> > to the organization. After some packet traces we found out that the
> > problem was in PF and that it doesn't seem to handle fragmented IPv6
> > packets.
> >
> > Sure enough, from the man page of pf.conf:
> >
> > "Currently, only IPv4 fragments are supported and IPv6 fragments are
> > blocked unconditionally."
> >
> > The problem is that some of Swedens largest ISPs uses tunneling for IPv6
> > to their customers so we can't just say, ditch em. Terredo seems to work
> > fine.
> >
> > Is there a workaround or plans to implement support for this is pf?
>
> the workaround is to reduce the MTU, or for TCP you can use scrub max-mss
> (1220 is a safe value to clamp MSS to; this equates to MTU 1280, which all
> IPv6 hosts are required to handle).
>
Could someone please hit me with a clue stick if I am wrong here... If there is
tunnel reducing the MTU then the tunnel endpoint should send an ICMPv6 packet
too big to the sender. My assumption is that the host then shall reduce the
MTU, i.e. putting less stuff in each packet, not that the host should create
big packets and then fragment them.
/Joakim
