Mark Smith; > > Filtering on protocol/port numbers is a broken concept. Yes, it is. However, it is merely as broken as PMTUD that we don't need security discussion to deny PMTUD. > I've understood that what you have described is the end-goal > of end-to-end, opportunistic encryption and authentication ie. > IPsec. Back to the original problem, PMTUD depends on the capabilities of intermediate systems on a path to generate certain ICMP, generation of which is as complex as fragmentation itself, that it is not very end to end. That is, PMTUD is a broken concept. Masataka Ohta _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf