North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: PMTU and Broken Servers

  • From: Dalvenjah FoxFire
  • Date: Fri May 09 12:39:38 2003

>>>>> "bicknell" == Leo Bicknell <[email protected]> writes:

    bicknell> This is a new problem to me, but I'm sure people have
    bicknell> run into it before.  Are the servers really that broken
    bicknell> (PMTU enabled, ICMP Can't Fragement filtered)?  Does the
    bicknell> head end box of DSL services generally do something to
    bicknell> work around this (ie, clear the DF bit)?  Am I just
    bicknell> being an idiot and missing something obvious?

I first saw this about four years ago with a web site running behind
a load balancing device. It was -- and probably still is -- another
issue of default configuration hell. The web servers were configured
by default to do Path MTU discovery, while the load balancer had
no concept of passing the ICMP Need Fragment packet back to the
appropriate server.

(There may still be no good way to do this; if I remember right,
the ICMP Need Fragment packet contains only IPs and not ports;
the host sending the ICMP packet will be using its IP and the outside
IP of the load balancer, giving the load balancer no good way to
determine where to pass the ICMP packet, unless the load balancer
is guaranteeing that all data from a particular IP goes to a particular
server -- also not a default configuration.)

It's a hard call for which to make the default; PMTU makes sense,
obviously, unless you're running behind a load balancer. It's another
one of those things that probably isn't documented anywhere, or if it is,
it's buried in an appendix that nobody gets to.

The only solution is to mail the folks maintaining the web sites you
can't get to with a short explanation of what you think the problem is,
and hope they look into it and fix it. Not unlike smurf relays and
networks that don't filter outgoing source addresses. }:>