[lacnog] Fwd: Juniper screening large ICMP packets

Fernando Gont fgont en si6networks.com
Lun Ago 22 21:20:25 BRT 2011


FYI

-------- Original Message --------
Subject: Juniper screening large ICMP packets
Date: Mon, 22 Aug 2011 11:24:51 +0200
From: Sander Steffann <sander en steffann.nl>
To: ipv6-ops en lists.cluenet.de

Hi,

FYI:

Last week I found out the hard way that turning on Juniper screening of
large ICMP messages
(http://www.juniper.net/techpubs/software/junos-security/junos-security10.0/junos-security-swconfig-security/id-41418.html)
breaks IPv6 path MTU discovery. The packet-too-big messages are being
dropped on interfaces that have this 'feature' turned on. I noticed the
same behavior on a SSG-140 (ScreenOS based) and on an SRX-240 (JunOS
based) where the server was behind the firewall and the client was using
a HE or SixXS tunnel.

One more thing to check when debugging broken pMTU...
Sander




Más información sobre la lista de distribución LACNOG