PMTU and Broken Servers

"Dalvenjah" you are in direct violation of the NANOG AUP.

Please come into compliance by posting with your real name, as opposed
to your IRC nickname, otherwise you'll be removed from the list. If
we are to believe that "Dajvenjah Foxfire" is your real name, please
provide proof of your legal name change, or a birth certificate, for
NANOG review.

   > This is a new problem to me, but I'm sure people have
   > run into it before. Are the servers really that broken
   > (PMTU enabled, ICMP Can't Fragement filtered)? Does
the
   > head end box of DSL services generally do something
to
   > work around this (ie, clear the DF bit)? Am I just
   > being an idiot and missing something obvious?

I first saw this about four years ago with a web site running behind
a load balancing device. It was -- and probably still is -- another
issue of default configuration hell. The web servers were configured
by default to do Path MTU discovery, while the load balancer had
no concept of passing the ICMP Need Fragment packet back to the
appropriate server.

(There may still be no good way to do this; if I remember right,

the ICMP Need Fragment packet contains only IPs and not ports;
the host sending the ICMP packet will be using its IP and the outside
IP of the load balancer, giving the load balancer no good way to
determine where to pass the ICMP packet, unless the load balancer
is guaranteeing that all data from a particular IP goes to a particular
server -- also not a default configuration.)

It's a hard call for which to make the default; PMTU makes sense,

obviously, unless you're running behind a load balancer. It's another
one of those things that probably isn't documented anywhere, or
if it is,
it's buried in an appendix that nobody gets to.

The only solution is to mail the folks maintaining the web sites
you
can't get to with a short explanation of what you think the problem
is,
and hope they look into it and fix it. Not unlike smurf relays and
networks that don't filter outgoing source addresses. }:>

-dalvenjah

--

Concerned about your privacy? Follow this link to get
FREE encrypted email: Hushmail - Encrypted Email, Web Forms & E-Signatures

Free, ultra-private instant messaging with Hush Messenger
https://www.hushmail.com/services.php?subloc=messenger&l=434

Big $$$ to be made with the HushMail Affiliate Program:
https://www.hushmail.com/about.php?subloc=affiliate&l=427