On 25.12.2025 10:28 William Herrin <[email protected]> wrote: > It depends on the price. When you're trying to minimize the price of > your service, IPv4 addresses have become one of the expenses you can > tweak.
I agree on CGNAT (or other forms of NAT) for IPv4, but not IPv6. > > > - TCP MSS - MSS Clamping all connections > > > > > > - TCP MSS - MSS Clamping, but you instead (accidentally?) set MSS > > > to your desired value even if it was lower before > > > > This is crap. ICMP exists for this and also works for UDP. > > With due respect, it's no secret that PMTUD on the Internet is broken. > There are just too many ways for that ICMP packet from the middle box > to get lost and not all of them are a result of ignorant > configuration. PMTUD is one of the very few places that IPv4's > designers broke with the end-to-end principle and it shows. IPv4 is indeed nasty because if the DF bit is not set, a router might fragment and the receiver might not handle that properly. Everything else is handled by ICMP. If people are blocking that, it is their fault. > If you know you're transiting a link with an MTU below 1500, reliable > use means clamping the MSS. Sorry, but that's how it is these days. If that fixed the problem, it is still broken and everything else (like UDP) is broken. > > > - Related to above - Network accepts TCP connection which it will > > > intercept (sends SYN/ACK to user) before it confirms that the > > > destination is reachable > > > > Are you a crappy ISP that really needs to do this? > > Geostationary satellite. You HAVE to do things to speed up TCP or the > customer feels the pain. If the customer agrees to that - fine. But as a customer I want to know what interception is being done. > > > > > - Dropping/resetting port 80 sessions that don't ‘look like’ HTTP > > > > > > - Dropping/resetting port 443 sessions that don't ‘look like’ TLS > > > > > > > Can you please stop interfering connections? > > You are an ISP and people pay your for transferring the data they > > requested. > > This is usually done by enterprises rather than ISPs. Except when the > DDOS mitigation service is active. Then they're quite pointedly > filtering out non-standard traffic. Enterprises are not ISPs for normal situations. I do filter stuff too in certain parts of my network, but I can decide myself what to filter, rather than my ISP. -- kind regards Marco Send spam to [email protected]
pgprBOvA4_OmS.pgp
Description: Digitale Signatur von OpenPGP
_______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/[email protected]/message/S2YXKQ7IFUDOMUMUACX64MUE3NZVTOOT/
