[yardstick]

1200 MTU often in my experience does the trick.

But, I don’t like the presumption in IPv6 that everything supports 1280. What if there is a VPN running over a 1280-MTU link, what is the MTU of the encrypted IPv6 payload? Now add in a couple more layers of VPNs for good measure.

[phicoh]

1280 is a guarantee by the IPv6 standard. If you run a VPN over a link with 1280 MTU then the VPN protocol has to have a way of fragmenting the payload (which could be using fragmentation in IPv6, but application specific is likely to work better).

[yardstick]

Yes I mostly agree, the tricky part is what to do about packets marked as Don’t Fragment. Hopefully they are already well under the actual MTU, but if need be, should they be fragmented or dropped? (The answer is to fragment all except icmp imo, even if it’s against the wishes of the packet IP headers)

[phicoh]

Technically the packets don't get fragmented. It is the tunnel that fragments.

For example, in the bad old days, when there was still a lot of ATM, packets would routinely get transmitted in 48 byte pieces (with a 5 byte header). Nobody wondered whether this kind of fragmentation should honor the DF bit.

If I recall correctly, multi-link PPP could also split a packet in smaller pieces to transmit it over multiple links at the same time.

So for IPv6, anything that is 1280 octets or smaller needs to forwarded without triggering a packet too big ICMP. Otherwise the link violates the IPv6 standard.

[yardstick]

Good point, thanks for the insight!

[kazen44]

with IPv6, one could also do MTU-path discovery. Which would automatically set the correct MTU based on a ICMP test between nodes and all endpoints.

[nieve]

Wasn't it established in the article that PMTUD was broken by the asymmetric routing?

[mprovost]

But you don't need VPNs with IPv6, it has encryption built it and you don't need NAT because every node is directly accessible!

[yardstick]

Apologies, I can’t tell if you are being serious or satire.

I’m leaning towards satire but in case you are serious, IPv6 built-in encryption is IPsec using opportunistic encryption (which then relies on dnsec…), and it’s not built into all IPv6 endpoints. Nor easy to configure, debug or support.

WireGuard, OpenVPN, etc are easier for users to configure and set up than IPsec, and less chances of mismatched configs, unsupported cipher suites, etc.

As for NAT, that’s irrelevant to the reason for using a VPN. IPv6 has Unique Local Addresses (ULA), which can be routable across and organisation but not from the internet, and so you may want a VPN for access to those. You may also simply want to extend your IPv6 network to a remote location that doesn’t have native IPv4, or whose ISP doesn’t provide sufficient delegated subnet ranges for your requirements. The VPN could also be to provide access to an IPv4 network behind the IPv6 router. The list goes on…