[j-nsp] MTU Fragmentation
Phil Mayers
p.mayers at imperial.ac.uk
Wed Nov 24 10:30:35 EST 2010
On 11/24/2010 02:58 PM, sthaug at nethelp.no wrote:
> I would be greatly worried about all the hosts sending 1500 byte
> packets from behind firewalls that drop ICMP "DF set and fragmentation
> needed" packets from your Juniper routers.
Or even load-balancers which don't reverse-map the ICMPs; this is (or
was, a couple of years ago) a common problem with some very popular
websites.
>
> In short, I think you're in for some pain...
Agreed.
One option is to clamp TCP MSS negotiated in the SYN/SYN+ACK packets, at
the MTU-constrained points. We did this successfully, although the
MTU-constrained bits were IPSec tunnels on firewalls - whether the
Juniper kit can MSS-clamp I don't know.
More information about the juniper-nsp
mailing list