On 27/2/19 07:01, Jean-Daniel Pauget wrote: > hello, > > I confess using IPv6 behind a 6in4 tunnel because the "Business-Class" > service > of the concerned operator doesn't handle IPv6 yet. > > as such, I realised that, as far as I can figure, ICMPv6 packet "too-big" > (rfc 4443) > seem to be ignored or filtered at ~60% of ClouFlare's http farms > > as a result, random sites such as http://nanog.org/ or > https://www.ansible.com/ > are badly reachable whenever small mtu are involved ... > > support@cloudflare answered me that because I'm not the owner of > concerned site, > and because of security reasons, they wouldn't investigate further. > > are there security concerns with ICMP-too-big ?
Please see: https://tools.ietf.org/html/rfc5927 and also: https://tools.ietf.org/html/rfc8021 Thanks, -- Fernando Gont SI6 Networks e-mail: fg...@si6networks.com PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
