[OpenAFS] Re: mtu problem
Derek Atkins
warlord@MIT.EDU
Fri, 08 Feb 2013 09:56:16 -0500
Brandon Allbery <ballbery@sinenomine.net> writes:
> Subset of, yes. All? So many sites on the Internet can't be accessed
> reliably from the many OSes that do PMTUD? Somehow, I doubt.
I didn't say "all", I said "many". And yes, there are many sites on the
internet that cannot be accessed reliably from many OSes that do PMTUD,
particularly if you have some pipe between you and the site that is
smaller than your endpoint MTU (e.g. an IP tunnel, be it GRE, IPsec,
etc). I have plenty of first-hand experience with this.
The fix I've put in is to have all my hosts behind the tunnel have an
MTU of 1492 instead of 1500, because otherwise it reliably fails to many
sites because the ICMP doesn't get back to me.
You can test this yourself.. Try to traceroute to some hosts and see if
you get the ICMP response all the way to the end or if it ends at the
endpoint's router. If it ends at the router that means they are
blocking outgoing ICMP, which means PMTU is broken. This happens more
often than you would believe (although I admit it is getting much better
now than it was years ago).
-derek
--
Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
Member, MIT Student Information Processing Board (SIPB)
URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
warlord@MIT.EDU PGP key available