nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: What do you consider acceptable packet / session modification for a network operator?

From: William Herrin via NANOG <nanog () lists nanog org>
Date: Thu, 25 Dec 2025 10:28:06 -0800
On Wed, Dec 24, 2025 at 8:59 PM Marco Moock via NANOG
<nanog () lists nanog org> wrote:

Am 25.12.2025 um 01:08:05 Uhr schrieb Andrew via NANOG:

- Using any form of NAT / packet translation with IPv6 (not including
nat64 / other v4 transition related)


Don't do that, there is enough address space for the customers.


Hi Marco,

It depends on the price. When you're trying to minimize the price of
your service, IPv4 addresses have become one of the expenses you can
tweak.



- TCP MSS - MSS Clamping all connections

- TCP MSS - MSS Clamping, but you instead (accidentally?) set MSS to
your desired value even if it was lower before


This is crap. ICMP exists for this and also works for UDP.


With due respect, it's no secret that PMTUD on the Internet is broken.
There are just too many ways for that ICMP packet from the middle box
to get lost and not all of them are a result of ignorant
configuration. PMTUD is one of the very few places that IPv4's
designers broke with the end-to-end principle and it shows.

If you know you're transiting a link with an MTU below 1500, reliable
use means clamping the MSS. Sorry, but that's how it is these days.



- Related to above - Network accepts TCP connection which it will
intercept (sends SYN/ACK to user) before it confirms that the
destination is reachable


Are you a crappy ISP that really needs to do this?


Geostationary satellite. You HAVE to do things to speed up TCP or the
customer feels the pain.

And before you say Startlink is the answer... it turns out they drop a
burst of packets every 15 seconds when they adjust the antenna. Every.
15. Seconds.



- Dropping/resetting port 80 sessions that don't ‘look like’ HTTP

- Dropping/resetting port 443 sessions that don't ‘look like’ TLS


Can you please stop interfering connections?
You are an ISP and people pay your for transferring the data they
requested.


This is usually done by enterprises rather than ISPs. Except when the
DDOS mitigation service is active. Then they're quite pointedly
filtering out non-standard traffic.

Regards,
Bill Herrin


-- 
For hire. https://bill.herrin.us/resume/
_______________________________________________
NANOG mailing list 
https://lists.nanog.org/archives/list/nanog () lists nanog org/message/2SYTRTBSAJILDCENK6W7CKKVPBPKG7WW/
Previous By Date Next
Previous By Thread Next

Current thread: