I've recently come up against the issue of some ISP routers in New Zealand which block ICMP. This creates an issue for some of our clients, who we deliver service to via GRE tunnels over a multi-hop wireless network.
this is largely an off-topic response, but while on the topic of PMTUD i'd like to point at a tool useful to debug forward path PMTUD issues, like tracepath does for example. Note that Jonathan's problem is a reverse path issue. http://www.wand.net.nz/scamper/ given an IP address, scamper will do a traceroute towards it to establish the forward path and an address at the end of the network that will terminate probes. then it will try ICMP based PMTUD starting with the interface's MTU size. If it does not get a response, it tries smaller packet sizes until it has inferred the largest packet that will get some response from the path. Then it does a TTL limited search to infer the hop[s] possibly responsible for not sending an ICMP Fragmentation Required message. It marks the mtu annotations for the hop[s] with an asterisk. For example, here's a sanitised example: traceroute from 199.109.33.1 to XXX 1 199.109.33.254 0.744 ms [mtu: 4470] 2 XXX 14.041 ms [mtu: 4470] 3 XXX 26.454 ms [mtu: 4470] 4 XXX 22.627 ms [mtu: 4470] 5 XXX 35.079 ms [mtu: 4470] 6 XXX 38.690 ms [mtu: 4470] 7 XXX 47.683 ms [mtu: 4470] 8 XXX 59.337 ms [mtu: 4470] 9 XXX 63.797 ms [mtu: 4470] 10 XXX 61.082 ms [*mtu: 1514] 11 XXX 60.909 ms [mtu: 1500] 12 XXX 61.541 ms [mtu: 1500] Note that the path between hop 9 and 10 probably has a L2 disagreement on the media's MTU size as the hop will happily generate other ICMP types. ./scamper -4mi <IP addresses> is the basic usage of scamper for this purpose.
My question for the list is, what are the known PMTUD "black holes" in New Zealand?
at one point this was the case with at least one large internet banking site, where they filtered out [at a minimum] inbound ICMP unreach. i have no idea if this is still the case. ICMP6's packet-too-big message is a completely different ICMP type, presumably to try and prevent that message being turned off through naive filtering of ICMP6 unreach.
Is there anyone out there unwilling to allow ICMP into their network? How do we make sure Path MTU Discovery works to all endpoints within NZ?
there is some effort to make PMTUD work the other way around. the idea is that a host will start of sending small size packets and work their way up through larger packet sizes until a frame is dropped. http://www.psc.edu/~mathis/draft/draft-ietf-pmtud-method-XX.txt