alex at digriz
Nov 3, 2009, 12:39 AM
Post #14 of 14
(991 views)
Permalink
|
Hi,
* Dale Shaw <dale.shaw+cisco-nsp [at] gmail> [2009-11-03 11:18:01+1100]:
>
> On Tue, Nov 3, 2009 at 1:26 AM, Alexander Clouter <alex [at] digriz> wrote:
> > It is a pretty impressive [read: hard/unusual -- Ed.] to screw up non-SSLed traffic with an MTU
> > issue,
>
> In "Opposite Land"? or in a land where IPSec and PPPoX don't exist? :-)
>
Well at $ORK[-1] I was an ISP packet pusher and there all those 'factory
default'ing 1492 MTU routers that blocked all ICMP traffic used to drive
us mad. There regular HTTP traffic was always fine[1] as the request
always fitted with no problem within a single MTU...it was only when you
slapped on some SSL action (or tried to SMTP something about) that the
MTU issue would appear.
So 'opposite' land being CPE rather than core networking land...hence my
"you have to be a special person to have done this". Even the greatest
ICMP offenders of the Internet (financial institutions) just gave up
dealing with this crap and cranked all their servers to shunt their MTU
to 1000ish and tinker with the MSS on the inbound TCP SYN packet.
So...this is why I focused on the "cannot browse websites", I personally
am just stunned the helpfulness[2] of the group to such a vague
question. If any of the helldeskers here said that (which they often
do, *sigh*) I have to re-remind them with the public flaying... :-/
Cheers
[1] back in the day when you did not have honkingly large cookies, wtf?
[2] come on guys, I felt you were all much more on the ball the way you
handled http://marc.info/?l=cisco-nsp&m=125441497832189&w=2 :)
--
Alexander Clouter
.sigmonster says: A vivid and creative mind characterizes you.
_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
|
