Test your connectivity for World IPv6 Day

Rémi Després remi.despres at free.fr
Tue Jun 7 19:18:31 CEST 2011


Le 7 juin 2011 à 18:11, Tore Anderson a écrit :

> * Rémi Després
> 
>> A tunnel supporting less than 1500 must indeed return ICMP PTB
>> messages like any tunnel.
>> 
>> But if the source host has a firewall that filters inbound ICMPv6
>> messages, this becomes this host's problem. It becomes also a problem
>> of hosts it communicates with although these hosts have no
>> responsibility in the problem.
>> 
>> This host avoids the problem if it works with an "effective MTU for
>> sending" of 1280 for off-link destinations, except for paths where
>> PMTUD has detected better values.
>> 
>>> I refuse to work around their defective network by crippling the
>>> MTU for all my visitors.
>> 
>> In my understanding, it isn't a problem of defective ISP network. It
>> is a problem of uncertain effectiveness, so far, of PMTUD (worse in
>> UDP than in TCP, and aggravated where some firewalls unduly filter
>> ICMPv6 messages).
> 
> I have no firewalls that filter ICMPv6 PTB between my servers and my
> border routers. So when my servers are the source host, PMTUD will work,
> unless something in on the end users's [ISP's/tunnel broker's] side is
> making it break. In which case - not my problem.
> 
> I have no influence on what MTU is chosen by the remote host (i.e. the
> end user's computer). If they'd like to use a MTU of 1280 - that is fine
> by me. I'll serve them just fine. If they give me a TCP MSS of 1220,
> I'll respect that, too.
> 
> Just don't ask me to lower *my own* MTU for *every* packet my servers
> transmit because *some* users *may* have defective
> firewalls/networks/ISPs/tunnels/whatever that prevents my servers from
> discovering the MTU in the end user's inbound path.

OK, well controlled servers like yours can be less conservative than, for example, servers people run behind some unknown firewalls.
Consciously setting their default PMTU to 1500 makes sense, I agree. (My initial statement was too general.)

OTOH, I am still convinced that an OS intended for plug and play operation, including behind all typical firewalls, should have 1280 by default as a security against potential connectivity problems.
 
 

>>> What MTU do you recommend for IPv4 servers, by the way? 576 or 68?
>> 
>> As you of course know, despite this ironic question, the problem
>> comes up in IPv6 because routers can no longer fragment packets.
> 
> And when the DF bit is set?

OK, I agree that TCP packets sent with PMTUD normally have their DF bit set, so that all IPv4 paths have in practice to support 1500.


The question that remains IMHO is how much efficiency can be lost by starting with 1500 in the short term, i.e. while a large proportion of the IPv6 traffic crosses some tunnels.
Even if one neglects 6to4 and Teredo, a large part of the native-address traffic still uses tunnel brokers or 6rd.
Yet, I agree that this is secondary compared to connectivity issues, and wouldn't recommend 1280 simply for this.

Thanks for the points you made.

Regards,
RD


> 
> -- 
> Tore Anderson
> Redpill Linpro AS - http://www.redpill-linpro.com/
> Tel: +47 21 54 41 27




More information about the ipv6-ops mailing list