Home page logo
/

nanog logo nanog mailing list archives

Re: PMTU-D: remember, your load balancer is broken
From: woods () weird com (Greg A. Woods)
Date: Thu, 15 Jun 2000 10:15:22 -0400 (EDT)


[ On Wednesday, June 14, 2000 at 07:21:54 (-0500), Brett Frankenberger wrote: ]
Subject: Re: PMTU-D: remember, your load balancer is broken 

PMTU Discovery is important when you have larger MTUs on the ends and
small MTUs in the middle.  For example, a tunnel (VPN or otherwise)
between two routers or VPN servers, for a WAN link with a small MTU, or
...

I think that should read:

"PMTU Discovery is important when you have larger MTUs on either end...."

Almost all of my systems, until recently, were advertising an MSS
default of 512, and I've had either a PPP connection with an MTU of
about 1024, (I forget exactly what it was), or more recently a GRE
tunnel with an MTU of 1460.

Back when my router was PPP connected I had enormous problems with
SunOS-4.1.x, and only slightly fewer problems with NetBSD.

Since discovering that servers with an MSS default of 512 bytes cannot
possibly ever deliver good TCP throughput to local high-speed customers
(eg. on a cable or DSL plant), I've also been hard-coding a TCP MSS
default of 1460 on most systems I control (though on cable modem squid
servers, etc., it could probably safely be raised to 1500, but of course
on my GRE tunnel this is the maximum I can use without fragmentation).

It's a real problem, and the Load Balancer manufacturers need to handle
the ICMPs properly.

You're damn right it is!

In fact I think I'm having this very problem with segue.merit.edu
[198.108.1.41] trying to deliver some NANOG messages to my server ever
since yesterday or the day before!  (Another server at theplanet.co.uk
is definitely giving me these headaches -- I still have to capture a
failed connection from segue.merit.edu to prove the latter though....)

The system in question still has an MSS default of 512.  I've not yetI'm
not exactly a TCP guru, but I'm guessing that nothing will improve even
if I increase it to 1460....  Maybe I'll try this anyway because in the
mean time those damn mailers are clogging mine with zillions of stagnant
connections and are preventing any other mailers from delivering....

Personally I think it should be required that an admin jump through
multiple burning hoops and then prove he or she can stop a charging
locomotive and leap tall buildings before they are allowed to turn on
Path-MTU-discovery.  Any OS vendor that ships with it on by default
should be put in stocks in the town centre so they can be publicly
humiliated!

-- 
                                                        Greg A. Woods

+1 416 218-0098      VE3TCP      <gwoods () acm org>      <robohack!woods>
Planix, Inc. <woods () planix com>; Secrets of the Weird <woods () weird com>



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault