Date: Thu, 22 Sep 2005 09:46:50 +1000 From: Dave+Seddon <dave-sender-1932b5@seddon.ca> To: Sten Daniel =?utf-8?B?U8O4cnNkYWw=?= <lists@wm-access.no> Cc: freebsd-net@FreeBSD.org Subject: Re: UDP dont fragment bit Message-ID: <1127346412.31633.TMDA@seddon.ca> In-Reply-To: <43315E6F.1020003@wm-access.no> References: <20050918212110.61962.qmail@web54501.mail.yahoo.com> <20050920134408.Y34322@fledge.watson.org> <43313924.9050009@wm-access.no> <20050921114511.D34322@fledge.watson.org> <4331539D.9030204@wm-access.no> <20050921134029.M34322@fledge.watson.org> <43315E6F.1020003@wm-access.no>
next in thread | previous in thread | raw e-mail | index | archive | help
Greeting Sten, I'm a little worried about a couple of the things you've said: 1. "It is more common to block icmp messages about reassembly problems than DF problems IF a message is generated in the first place." I think that's crap. Most firewalls DO correctly and statefully accept the ICMP messages for existing sockets. ipf and pf do, but I'm not sure about IPFW2, but I'd be surprised if it didn't. I'd also be surprised if iptables in linux land didn't track the ICMP. Most commercial firewalls, like Netscreen, Checkpoint, PIX, all do also. 2. "Consider a client connected to an isp's network(1). The isp drops all ICMP packets. That network is then connected to a third network(2) which has a data path that has an MTU of 1400 bytes but also mangles tcp mss to 1360, udp packets must get fragmented. On server size the firewall must reassemble all udp fragments before passing them on to server." If your ISP doesn't understand the importance of ICMP and they just drop it, change ISPs. ICMP is critical to efficient TCP, and your whole thread is about getting that ability for UDP. If you ISP does drop ICMP then the don't defragment option will just result in packets disappearing anyway. Regards, Dave Seddon
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1127346412.31633.TMDA>