Re: MTU to CDN's

[Owen DeLong <owen () delong com>]

> On Jan 18, 2018, at 4:32 PM, William Herrin <bill () herrin us> wrote:
>
> On Thu, Jan 18, 2018 at 7:14 PM, Jared Mauch <jared () puck nether net> wrote:
> > lets say i can
> > send you a 9K packet.  If you receive that frame, and realize you need
> > to fragment, then it’s your routers job to slice 9000 into 5 x 1500.
>
> In practice, no, because the packet you sent had the "don't fragment"
> bit set. That means my router is not allowed to fragment the packet.
> Instead, I must send the originating host an ICMP destination
> unreachable packet stating that the largest packet I can send further
> is 1500 bytes.
>
> You might receive my ICMP message. You might not. After all, I am not
> the host you were looking for.

This gets especially bad in cases such as anycast where the return path may be asymmetrical and could result in 
delivery of the ICMP PTB message to a different anycast instance or to a stateless load balancer that is incapable of 
determining which machine originated the packet being referenced.

One of the many reasons I continue to question the wisdom of using anycast for multi-packet transactions.

Owen

> Good luck.
>
> Regards,
> Bill Herrin
>
>
> P.S. This makes Linux servers happy:
>
> iptables -t mangle --insert POSTROUTING --proto tcp \
>        --tcp-flags SYN,RST,FIN SYN --match tcpmss --mss 1241:65535 \
>        --jump TCPMSS --set-mss 1240
>
>
>
> -- 
> William Herrin ................ herrin () dirtside com  bill () herrin us
> Dirtside Systems ......... Web: <http://www.dirtside.com/>