UDP dont fragment bit

Sten Daniel Sørsdal lists at wm-access.no
Thu Sep 22 04:13:38 PDT 2005 

Dave+Seddon wrote:
> Greeting Sten,
> I'm a little worried about a couple of the things you've said:
> 
> 1.  "It is more common to block icmp messages about reassembly problems
> than DF problems IF a message is generated in the first place."

> I think that's crap.  Most firewalls DO correctly and statefully accept
> the ICMP messages for existing sockets.  ipf and pf do, but I'm not sure
> about IPFW2, but I'd be surprised if it didn't.  I'd also be surprised
> if iptables in linux land didn't track the ICMP.  Most commercial
> firewalls, like Netscreen, Checkpoint, PIX, all do also.

You said it, most do it correctly but many do not. I dont think IPFW2
does. Many low end DSL routers dont.
But it's not the firewalls fault, it's admins who block wrong icmp
types. I.e. ICMP ECHO may pass but ICMP FRAGMENT TIME EXCEEDED may not.

People are taught that they need to specifically permit ICMP types and
drop all others. Often they do not identify the correct ones or only
identify the correct ones for their network only.

> 
> 2.  "Consider a client connected to an isp's network(1). The isp drops all
> ICMP packets. That network is then connected to a third network(2) which
> has a data path that has an MTU of 1400 bytes but also mangles tcp mss
> to 1360, udp packets must get fragmented. On server size the firewall
> must reassemble all udp fragments before passing them on to server."

> If your ISP doesn't understand the importance of ICMP and they just drop
> it, change ISPs.  ICMP is critical to efficient TCP, and your whole
> thread is about getting that ability for UDP.  If you ISP does drop ICMP
> then the don't defragment option will just result in packets
> disappearing anyway.
> 

My ISP would never but they did drop ICMP's then the whole point is that
the packet would disappear and not get fragmented.

You assume that UDP packets would have DF set by default.
This is not a discussion about wether it should be set by default
because it shouldn't. DF should never ever be set by default!

One application would be to be able to find the most efficient packet
size for UDP from unprivileged userland in a multicast or unicast
environment regardless of both ICMP and fragmentation issues.

With DF set one would not need ICMP's to find the most efficient packet
size in a multicast application.

With DF NOT set, one is subject to fragmentation thus it would not
necessarily be the most efficient packet size.

-- 
Sten Daniel Sørsdal

More information about the freebsd-net mailing list