* Brian E Carpenter > Maybe we consider it acceptable that SIIT will break on paths that > include a shorter-than-Ethernet link MTU. But we need to make that > statement explicit.
Making ICMPv6 PTB with MTU < 1280 invalid would only break SIIT for IPv4 paths with an IPv4 MTU, as an ICMPv4 Fragmentation Needed indicating an MTU value of 1260 would be translated to an ICMPv6 Packet Too Big with an MTU value of 1280 by the SIIT translator. See RFC 6145 section 4.2. In other words, "shorter-than-Ethernet link MTU" is fine, IFF the paths in the IPv4 domain are >=1260 (and obviously >=1280 in the IPv6 domain, but that is guaranteed irrespective of SIIT). I discuss this briefly in my SIIT-DC draft here: http://htmlpreview.github.io/?https://github.com/toreanderson/ietf/blob/master/siit-dc.html#rfc.section.3.8.2 Finally, there is a workaround (described in section 4.5 of my draft). In a nutshell: 1) Clamp all MTU values in translated ICMPv6 PTBs up to 1280 2) When translating IPv6 packets <=1280 bytes to IPv4, always clear the DF flag and generate an Identification value. This will hide the path with the small <1260/1280 IPv4/IPv6 MTU from the IPv6 node by making the IPv4 network fragment the packets instead. How common IPv4 paths with an MTU of <1260 are on today's internet, I don't know. Maybe the RIPE Atlas team could find out for us? It could be that problem isn't worth losing too much sleep over in the first place. Tore _______________________________________________ OPSEC mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsec
