> by GRE or IPSec. With this in mind, would we be safe to flag/drop/what > ever all fragments smaller than 1200 bytes that are not last fragments > (i.e., more fragments is still set)?
No. Check previous thread about IPSec and MTU. Some IPSec implementations split the greater-than-mtu sized packet in half in order to avoid the possibility of further fragmentation down the road, thus better performance. ~Hani Mustafa
