> Sure, but not many folks are downstream of small MTU serial links anymore,
> so if you set your external link to frag at 1492 or less (down to the
> minumum of 576 if you'd like ~100% success,)

Got it. But 576 doesn't guarantee 100% success, even if you have
a fair chance ;-)

IIRC any IP implementation must be able to receive at least 576
bytes sized frames. But there is no mandation of a minimum path MTU
of that size. 256 bytes or something in that order was common on
dialup modem links.

> But since you control PMTU on your network, you can simply shrink it
> enough and allow the ICMP traffic between trusted nodes only. Solves the
> problem.

I was thinking of the not so knowledgable server/firewall admin
blocking ICMP without those measures. And, what's so bad about
ICMP "df needed" messages? Of course I'm not proposing to allow _all_
types of ICMP through.

punkt.de GmbH Internet - Dienstleistungen - Beratung
Vorholzstr. 25 Tel. 0721 9109 -0 Fax: -100
76137 Karlsruhe http://punkt.de
firewall-wizards mailing list