Re: What do you consider acceptable packet / session modification for a network operator?

[Marco Moock via NANOG <nanog () lists nanog org>]

On 25.12.2025 10:28 William Herrin <bill () herrin us> wrote:

> It depends on the price. When you're trying to minimize the price of
> your service, IPv4 addresses have become one of the expenses you can
> tweak.

I agree on CGNAT (or other forms of NAT) for IPv4, but not IPv6.
 
> > > - TCP MSS - MSS Clamping all connections
> > >
> > > - TCP MSS - MSS Clamping, but you instead (accidentally?) set MSS
> > > to your desired value even if it was lower before  
> >
> > This is crap. ICMP exists for this and also works for UDP.  
>
> With due respect, it's no secret that PMTUD on the Internet is broken.
> There are just too many ways for that ICMP packet from the middle box
> to get lost and not all of them are a result of ignorant
> configuration. PMTUD is one of the very few places that IPv4's
> designers broke with the end-to-end principle and it shows.

IPv4 is indeed nasty because if the DF bit is not set, a router might
fragment and the receiver might not handle that properly.
Everything else is handled by ICMP. If people are blocking that, it is
their fault.

> If you know you're transiting a link with an MTU below 1500, reliable
> use means clamping the MSS. Sorry, but that's how it is these days.

If that fixed the problem, it is still broken and everything else (like
UDP) is broken.

> > > - Related to above - Network accepts TCP connection which it will
> > > intercept (sends SYN/ACK to user) before it confirms that the
> > > destination is reachable  
> >
> > Are you a crappy ISP that really needs to do this?  
>
> Geostationary satellite. You HAVE to do things to speed up TCP or the
> customer feels the pain.

If the customer agrees to that - fine. But as a customer I want to know
what interception is being done.
> > > - Dropping/resetting port 80 sessions that don't ‘look like’ HTTP
> > >
> > > - Dropping/resetting port 443 sessions that don't ‘look like’ TLS
> > >  
> >
> > Can you please stop interfering connections?
> > You are an ISP and people pay your for transferring the data they
> > requested.  
>
> This is usually done by enterprises rather than ISPs. Except when the
> DDOS mitigation service is active. Then they're quite pointedly
> filtering out non-standard traffic.

Enterprises are not ISPs for normal situations. I do filter stuff too
in certain parts of my network, but I can decide myself what to filter,
rather than my ISP.


-- 
kind regards
Marco

Send spam to abfall1766654886 () stinkedores dorfdsl de

Attachment: _bin
Description: Digitale Signatur von OpenPGP

_______________________________________________
NANOG mailing list 
https://lists.nanog.org/archives/list/nanog () lists nanog org/message/S2YXKQ7IFUDOMUMUACX64MUE3NZVTOOT/