Home page logo

nanog logo nanog mailing list archives

Re: PMTU-D: remember, your load balancer is broken
From: "Steven M. Bellovin" <smb () research att com>
Date: Tue, 13 Jun 2000 23:50:55 -0400

In message <200006140333.e5E3XmL28888 () black-ice cc vt edu>, Valdis.Kletnieks () vt
.edu writes:

b) If you're a webserver or something else providing service Out
There to random users, just nail the MTU at 1500, which will
work for any Ethernet/PPP/SLIP out there.  And if you're load
balancing to geographically disparate servers, then your users
are probably Out There, with an MTU almost guaranteed to be 1500.

I assert that the chances of PMTU-D helping are in direct ratio to the
number of end users who have connections with MTU>1500 - it's almost
a sure thing that you probably won't have users with an MTU on their
last-hop that's bigger than their campus backbone and/or Internet
connection's MTU.

Is anybody seeing any documentable wins by using PMTU-D?

There are two places where it's very important.  First, some server 
farms are on FDDI rings, so they have a higher MTU.  Second -- and this 
one is growing in importance -- tunnels, for IPsec, PPTP, etc. -- 
generally have smaller MTUs.  This very reply will travel over a tunnel 
with an MTU of, I believe, 1480.

                --Steve Bellovin

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]