[OpenAFS] Re: mtu problem

Brandon Allbery ballbery@sinenomine.net
Thu, 7 Feb 2013 17:23:14 +0000


A host or network which drops all ICMP indiscriminately is fundamentally br=
oken, and I could make an argument for not allowing it to communicate with =
other networks at all.  If someone is demanding drop-all-ICMP as "security =
best practice" then you need to find someone who actually understands netwo=
rks and network security, and possibly challenge your current security advi=
sor(s) for fraud.=0A=
=0A=
--=0A=
brandon s allbery kf8nh                               sine nomine associate=
s=0A=
allbery.b@gmail.com                                  ballbery@sinenomine.ne=
t=0A=
unix, openafs, kerberos, infrastructure, xmonad        http://sinenomine.ne=
t=0A=
=0A=
________________________________________=0A=
From: openafs-info-admin@openafs.org [openafs-info-admin@openafs.org] on be=
half of Antony Mayi [antonymayi@yahoo.com]=0A=
Sent: Thursday, February 07, 2013 11:36=0A=
To: Andrew Deason; openafs-info@openafs.org=0A=
Subject: Re: [OpenAFS] Re: mtu problem=0A=
(...)=0A=
modern tcp/ip stack is setting Don'tFragment flag by default so oversized p=
ackets are always dropped (relevant ICMP should be sent back for PMTU disco=
very to kick in though which is not happening in my case).=0A=