Re: IP fragmentation problem in the 2.0 kernels ?

Alan Cox (alan@lxorguk.ukuu.org.uk)
Wed, 10 Sep 1997 20:48:20 +0100 (BST)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: David S. Miller: "Re: Code for CONFIG_SOFTCURSOR is missing from 2.1.55"
Previous message: David S. Miller: "Re: patch for 2.1.55 pre-1 minix/sysv/affs"
Next in thread: Teunis Peters: "Re: IP fragmentation problem in the 2.0 kernels ?"
Reply: Teunis Peters: "Re: IP fragmentation problem in the 2.0 kernels ?"

> What if the kernel never sees the ICMP response?
> What if the webserver never sees the ICMP request?
>
> ICMP tends to disappear behind firewalls (to reiterate) - and it's not
> likely firewalls are going to disappear anytime soon.

Then the webserver is broken. Properly configured firewalls pass proper
IP packets. Whoever set up a system where that doesnt work is incompetent
to a degree they should not be involved in firewall configuration.

> Welcome to the real world - the nonstandard one <sigh>.
> There should be a way to handle fragmentation requests with firewalls....

Tough shit.

> There a newer RFC than 1159 for this?
> Any solution?

The opinion on the tcp list is to beat the morons concerned over the heads
until they hire a competent firewall admin.

> Anyone know how IPv6 handles masquerade/forward/et al?
> (RFC's?) - I've only read up to 1850 (roughly)

IPv6 does no partial fragmentation. You have to let ICMP DF frames through.
With IPv4 you can just turn MTU discovery off on your web server (which is
what a lot of folks do). Good high end firewalls don't have this problem and
actually test and process the icmp df frames for validity.

Alan

Next message: David S. Miller: "Re: Code for CONFIG_SOFTCURSOR is missing from 2.1.55"
Previous message: David S. Miller: "Re: patch for 2.1.55 pre-1 minix/sysv/affs"
Next in thread: Teunis Peters: "Re: IP fragmentation problem in the 2.0 kernels ?"
Reply: Teunis Peters: "Re: IP fragmentation problem in the 2.0 kernels ?"