Clearing DF bits...

Hi there all,

Years ago it used to be a somewhat common practice to clear the DF bit on packets, either on all packets, or just on those that that you were going to shove through a tunnel (I think the netscreen command was something like "set vpn foo df-bit clear", cisco had something funky with policy routing IIRC,etc).

This was done both to deal with multiple encapsulations and for the folk that block all ICMP for "security reasons".

Is this practice still common / do you know of anyone still doing it?


I did it as recently as last month, for the same reasons.