On May 9, 2015, at 7:43 AM, erik quanstrom <quanstro@quanstro.net> wrote:

> easy enough until one encounters devices that don't send icmp
> responses because it's not implemented, or somehow considered
> "secure" that way.

Oddly enough, I don't see this 'problem' in the real world.  And FreeBSD is far from being alone in the always-set-DF bit.

The only place this bites is when you run into tiny shops with homegrown firewalls configured by people who don't understand networking or security.  Me, I consider it a feature that these sites self-select themselves off the network.  I'm certainly no worse off for not being able to talk to them.