The old assumption used to be that if a host has an IP address, it can receive pretty much any packet sent to that address. The practical situation we have today is that if two hosts communicate over a given protocol and port, they can receive packets from the same "five tuple" but are not guaranteed to receive other packets. This has an important consequence for many IETF designed protocols, including indeed path MTU discovery.
So you are saying that when a host sends out an IP packet with the DF bit set, it's ok for that host (or any system on the path to that host) to filter out ICMP "fragmentation needed but DF bit set" messages?
Filtering on protocol/port numbers is a broken concept. When are we going to take the time to come up with a *real* security architecture? One that allows hosts to receive wanted packets and reject unwanted ones, rather than the current one where any correlation to whether a packet is wanted and whether it's rejected seems coincidental at best? One that at least entertains the possibility of doing something about denial of service attacks? And, last but not least, one that allows reasonable protocols, carrying desired communication, to function without undue breakage?
_______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf