Path MTU Discovery

IPv6 does not fragment packets, so the firewall uses two methods to reduce the need to fragment packets:
  • When the firewall is translating IPv4 packets in which the DF (don’t fragment) bit is zero, that indicates the sender expects the firewall to fragment packets that are too large, but the firewall doesn’t fragment packets for the IPv6 network (after translation) because IPv6 doesn’t fragment packets. Instead, you can configure the minimum size into which the firewall will fragment IPv4 packets before translating them. The
    NAT64 IPv6 Minimum Network MTU
    value is this setting, which complies with RFC 6145, IP/ICMP Translation Algorithm. You can set the
    NAT64 IPv6 Minimum Network MTU
    to its maximum value (
    Device
    Setup
    Session
    ), which causes the firewall to fragment IPv4 packets to the IPv6 minimum size before translating them to IPv6. (The
    NAT64 IPv6 Minimum Network MTU
    does not change the interface MTU.)
  • The other method the firewall uses to reduce fragmentation is Path MTU Discovery (PMTUD). In an IPv4-initiated communication, if an IPv4 packet to be translated has the DF bit set and the MTU for the egress interface is smaller than the packet, the firewall uses PMTUD to drop the packet and return an ICMP ‘Destination Unreachable - fragmentation needed’ message to the source. The source lowers the path MTU for that destination and resends the packet until successive reductions in the path MTU allow packet delivery.

Related Documentation