nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: What do you consider acceptable packet / session modification for a network operator?

From: Tom Beecher via NANOG <nanog () lists nanog org>
Date: Fri, 26 Dec 2025 10:52:48 -0500

I do not understand that. If the router has a public routable address
and either a default route to a router with full table, the packet
should arrive. Otherwise a general routing problem exist.
I am aware of such situations, but PMTU issues are just one of the
many issues that are caused by this.



Let's say all my physical interfaces have public addresses on them, but my
router loopback is numbered RFC1918. Perfectly acceptable and common
configuration.

Packet comes in with DF set. Egress interface MTU is too small. ICMP Frag
Needed generated, source address is RFC1918 loopback from the router
control plane. On the return trip, packet crosses network that (correctly)
drops all RFC1918 sourced traffic.

This is not a routing problem at all. This is very common.



On Fri, Dec 26, 2025 at 9:17 AM Marco Moock via NANOG <nanog () lists nanog org>
wrote:


Am 26.12.2025 um 06:08:34 Uhr schrieb William Herrin:


That's not really on the list of Internet problems with PMTUD. Not a
lot of packets without the DF bit set any more.

No, the problem is there's lots of reasons for that ICMP packet to
get dropped.

* No valid route from the complaining router to the packet origin.



IP is end-to-end. You're only supposed to have to guarantee routes
between the endpoints, not between the midpoints and endpoints.


I do not understand that. If the router has a public routable address
and either a default route to a router with full table, the packet
should arrive. Otherwise a general routing problem exist.
I am aware of such situations, but PMTU issues are just one of the
many issues that are caused by this.


* Complaining router's interface is numbered with RFC1918.


Then the NAT mechanism is failing, as there must not be non-global
addresses traveling AS borders. The NAT ACL must include all used
addresses that are non-global.


And I haven't even touched the stupid firewall admins who erroneously
block all ICMP "because it's ping." There are a lot of them.


I know, but they create there own problems and there is no need that
ISPs circumvent their self-made problems.


No, if you don't want the headache of having to deal with every goofy
little situation where PMTUD doesn't work and you _know_ you have a
link with an MTU under 1500 (common with ISPs using PPPOE to the
customer premise equipment) then you clamp the TCP MSS. You don't like
it. But you do it anyway because tech support hours are expensive and
that results in fewer of them.


I've never seen that yet at the ISPs I use.

--
Gruß
Marco

Send unsolicited bulk mail to 1766725714muell () cartoonies org
_______________________________________________
NANOG mailing list

https://lists.nanog.org/archives/list/nanog () lists nanog org/message/NZLMD3NCYJT7KXMFACE5AD5SDWJGC2HI/

_______________________________________________
NANOG mailing list 
https://lists.nanog.org/archives/list/nanog () lists nanog org/message/LDGMI4PJJGSM3NFEHL4JDH7ZQD4QOM5N/
Previous By Date Next
Previous By Thread Next

Current thread: