On 6/3/19 03:29, Mark Andrews wrote: > > >> On 6 Mar 2019, at 3:37 pm, Fernando Gont <fg...@si6networks.com> wrote: >> >> On 6/3/19 01:09, Mark Andrews wrote: >>> >>> >>>> On 6 Mar 2019, at 1:30 pm, Fernando Gont <fg...@si6networks.com> wrote: >>>> >>>> On 3/3/19 18:04, Mark Andrews wrote: >>>>> There are lots of IDIOTS out there that BLOCK ALL ICMP. That blocks PTB >>>>> getting >>>>> back to the TCP servers. There are also IDIOTS that deploy load >>>>> balancers that >>>>> DO NOT LOOK INSIDE ICMP messages for redirecting ICMP messages to the >>>>> correct >>>>> back end. There are also IDOITS that rate limit PTB generation to >>>>> ridiculously >>>>> low rates. One should be able to generate PTB at line rate. >>>>> >>>>> Everyone that has configured mss-fix-up has contributed to >>>>> misunderstanding that >>>>> you can block ICMP. It is time we had a flag day to REMOVE mss-fix-up >>>>> from all >>>>> the boxes you control. We need to get PTB working and unfortunately that >>>>> means >>>>> that we need to stop pandering to admins who don’t know how IP is >>>>> supposed to >>>>> work. ICMP is NOT optional. >>>> >>>> It would seem IETF's intention is to actually move away from >>>> ICMPv6-based PMTUD, to the extent that is possible. (RFC4821). >>> >>> Which is not a reason to not fix broken equipment and misconfigured >>> firewalls. >>> The workarounds are basically there because people deploy broken equipment. >> >> Agreed. That said, it wasn't solved in 30+ years of IPv4. Do you have >> hopes it will be different with IPv6? > > Make a big enough stink and it will get fixed. People just don’t make enough > of > a stink. Use social media. None of the companies with broken firewalls > really > want their idiotic practices pointed out in public. Start doing so every time > you see it #STUPIDFIREWALL.
At times, it's fw defaults. Other times, it is admin policies. RFC4821 seems to signal that the IETF has given up in making ICMP-based PMTUD work, and aims at a (mostly) ICMP-free PMTUD. Essentially, when brokenness is widespread, you have to come-up with workarounds. And when workarounds are sufficiently widespread, there's less of an incentive to fix the original issue. Other times, there's a disconnect between with protocol standards, products, and operational requirements. That's the case of IPv6 EHs. This is their usability on the public Internet: RFC 7872. And these are some of the reasons why you get the numbers in RFC 7872: https://tools.ietf.org/html/draft-gont-v6ops-ipv6-ehs-packet-drops Cheers, -- Fernando Gont SI6 Networks e-mail: fg...@si6networks.com PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
