MTU path discovery and IPSec
Two questions: 1) I assume MTU path discovery has to been in enabled on each router in the path in order for it work correctly?! 2) Anybody use this to solve application issues over an IPSec tunnel to due to large of a frame? any help would be great Thanks
In message <120320031605.8838.1dea@comcast.net>, jgraun@comcast.net writes:
Two questions:
1) I assume MTU path discovery has to been in enabled on each router in the pa th in order for it work correctly?!
No -- it only has to be enabled on routers with smaller outbound MTUs than inbound. A router for which all links have a 1500-byte MTU doesn't need path MTU discovery; it will never need to fragment anything. --Steve Bellovin, http://www.research.att.com/~smb
A subtle correction... A router where all MTUs are the same will never have to fragement anything. A router where all MTUs are >=1500 will probably not need to fragment anything. However, it is possible to attach a host via GIG-E or other media which supports jumbo frames (Frame relay, for example) and need to fragment to support a 1500 octet MTU. Currently, this would be a rare occurrence, but, it is possible in some circumstances. Eventually, if this assumption were to circulate widely, it could have similar consequences to many other errant assumptions on the internet. Owen --On Wednesday, December 3, 2003 11:19 AM -0500 "Steven M. Bellovin" <smb@research.att.com> wrote:
In message <120320031605.8838.1dea@comcast.net>, jgraun@comcast.net writes:
Two questions:
1) I assume MTU path discovery has to been in enabled on each router in the pa th in order for it work correctly?!
No -- it only has to be enabled on routers with smaller outbound MTUs than inbound. A router for which all links have a 1500-byte MTU doesn't need path MTU discovery; it will never need to fragment anything.
--Steve Bellovin, http://www.research.att.com/~smb
-- If it wasn't crypto-signed, it probably didn't come from me.
On Wed, 03 Dec 2003 16:05:39 GMT, jgraun@comcast.net said:
1) I assume MTU path discovery has to been in enabled on each router in the path in order for it work correctly?!
Actually, no. All that's required is that: a) The router handle the case of a too-large packet with the DF bit set by sending back an ICMP 'Dest Unreachable - Frag Needed' packet. I've never actually encountered a router that didn't get this part right. (Has anybody ever seen a router botch this, *other* than a config error covered in (b) below?) b) said ICMP makes it back to the originating machine. This is where all the operational breakage I've ever seen on PMTU Discovery comes from. And in almost all cases, one of two things is at fault. Either some bonehead firewall admin is "blocking all ICMP for security" (fixable by reconfiguring the firewall to let ICMP Frag Needed error messages through), or some bonehead network provider numbered their point-to-points from 1918 space and the ICMP gets ingress/egress filtered (this one is usually not fixable except with a baseball bat).
--On Wednesday, December 3, 2003 11:39 AM -0500 Valdis.Kletnieks@vt.edu wrote:
On Wed, 03 Dec 2003 16:05:39 GMT, jgraun@comcast.net said:
1) I assume MTU path discovery has to been in enabled on each router in the path in order for it work correctly?!
Actually, no. All that's required is that:
a) The router handle the case of a too-large packet with the DF bit set by sending back an ICMP 'Dest Unreachable - Frag Needed' packet. I've never actually encountered a router that didn't get this part right. (Has anybody ever seen a router botch this, *other* than a config error covered in (b) below?)
When you consider that most firewalls are technically routers (albeit somewhat pathological routers), yes... Many firewalls fail to send back the ICMP and silently drop the DF packet.
b) said ICMP makes it back to the originating machine. This is where all the operational breakage I've ever seen on PMTU Discovery comes from. And in almost all cases, one of two things is at fault. Either some bonehead firewall admin is "blocking all ICMP for security" (fixable by reconfiguring the firewall to let ICMP Frag Needed error messages through), or some bonehead network provider numbered their point-to-points from 1918 space and the ICMP gets ingress/egress filtered (this one is usually not fixable except with a baseball bat).
Yep... Those are definitely the most common PMTU-D problems. Owen -- If it wasn't crypto-signed, it probably didn't come from me.
participants (4)
-
jgraun@comcast.net
-
Owen DeLong
-
Steven M. Bellovin
-
Valdis.Kletnieks@vt.edu