The Size Limit
Every link has a maximum transmission unit, the largest packet it will carry in one piece. When a packet exceeds the MTU of a link along the path, something must split it or reject it, and that is where subtle failures begin.
Fragmentation And Its Pitfalls
There are two ways to handle an oversized packet, and both have downsides.
- A router can fragment the packet into smaller pieces that are reassembled at the destination.
- If the do not fragment flag is set, the router instead rejects it and sends back an ICMP notice.
- That notice triggers path MTU discovery, which lowers the size to fit.
The trap is that if a firewall blocks the ICMP notice, the sender never learns to shrink the packet.
The Black Hole
When the notice is lost, large packets silently vanish while small ones get through. This black hole looks bizarre: a handshake succeeds because it uses tiny packets, then the connection hangs the moment a full sized packet is sent. The fix is to allow the ICMP messages that path MTU discovery needs, or to clamp the segment size down to a safe value.
Key idea
When a packet exceeds a link MTU it is fragmented or rejected with an ICMP notice that drives path MTU discovery, and blocking that notice creates a black hole where small packets pass but large ones vanish, fixed by allowing the ICMP or clamping the segment size.