|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: PMTU and Broken Servers
"Dalvenjah" you are in direct violation of the NANOG AUP. Please come into compliance by posting with your real name, as opposed to your IRC nickname, otherwise you'll be removed from the list. If we are to believe that "Dajvenjah Foxfire" is your real name, please provide proof of your legal name change, or a birth certificate, for NANOG review. >>>>>> "bicknell" == Leo Bicknell <[email protected]> writes: > > bicknell> This is a new problem to me, but I'm sure people have > bicknell> run into it before. Are the servers really that broken > bicknell> (PMTU enabled, ICMP Can't Fragement filtered)? Does >the > bicknell> head end box of DSL services generally do something >to > bicknell> work around this (ie, clear the DF bit)? Am I just > bicknell> being an idiot and missing something obvious? > >I first saw this about four years ago with a web site running behind >a load balancing device. It was -- and probably still is -- another >issue of default configuration hell. The web servers were configured >by default to do Path MTU discovery, while the load balancer had >no concept of passing the ICMP Need Fragment packet back to the >appropriate server. > >(There may still be no good way to do this; if I remember right, >> >the ICMP Need Fragment packet contains only IPs and not ports; >the host sending the ICMP packet will be using its IP and the outside >IP of the load balancer, giving the load balancer no good way to >determine where to pass the ICMP packet, unless the load balancer >is guaranteeing that all data from a particular IP goes to a particular >server -- also not a default configuration.) > >It's a hard call for which to make the default; PMTU makes sense, >> >obviously, unless you're running behind a load balancer. It's another >one of those things that probably isn't documented anywhere, or >if it is, >it's buried in an appendix that nobody gets to. > >The only solution is to mail the folks maintaining the web sites >you >can't get to with a short explanation of what you think the problem >is, >and hope they look into it and fix it. Not unlike smurf relays and >networks that don't filter outgoing source addresses. }:> > >-dalvenjah > >-- > > > Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger https://www.hushmail.com/services.php?subloc=messenger&l=434 Big $$$ to be made with the HushMail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliate&l=427
|