Home page logo

nanog logo nanog mailing list archives

Re: Common operational misconceptions
From: Steven Bellovin <smb () cs columbia edu>
Date: Mon, 20 Feb 2012 22:44:36 -0500

On Feb 20, 2012, at 10:27 PM, Masataka Ohta wrote:

Steven Bellovin wrote:

Timer timeouts do not affect TCP MSS.

RFC 2923:
      TCP should notice that the connection is timing out.  After
      several timeouts, TCP should attempt to send smaller packets,
      perhaps turning off the DF flag for each packet.  If this
      succeeds, it should continue to turn off PMTUD for the connection
      for some reasonable period of time, after which it should probe
      again to try to determine if the path has changed.


It's Informational, not standards track, but the problem
-- and the fix -- have been known for a very long time.

I'm not sure what, do you think, is the problem, because the
paragraph of RFC2923 you quote has nothing to do with TCP

Sure it does.  That's in 2.1; the start of it discusses PMTUD
failing for various reasons including firewalls.  

The relevant section of the RFC (relevant to MSS) should be:

  The MSS should be determined based on the MTUs of the interfaces on
  the system, as outlined in [RFC1122] and [RFC1191].

which means MSS is constant.

The text I quoted says, in so many words, "send smaller packets".
I don't know how it's possible to be more explicit than that.

Note also that the next paragraph (next to the paragraph you
quote) of the RFC eventually says to use PMTU of 1280B for
IPv6 if there are black holes. It is not a very good thing
to do especially for IP over IP tunnels, because 1280B
packets are always fragmented if they are carried over a
tunnel with MTU of 1280B.

Please cite in context.  The text I quoted says that one option
is to try turning off DF; the next paragraph notes that you can't
do that on v6.  It also doesn't say to to use PMTU of 1280, it
says that that's a good fallback, and notes that v6 support requires
that.  Although it doesn't say so, I'll note that IP in IP makes the
outer IP effectively a link layer for the inner IP; as such, it has
to preserve all of the relevant properties including a link MTU of
1280.  If that doesn't work -- though it most likely will, since
the most common hardware MTU is from the ancient 1500 byte Ethernet
size -- the outer IP endpoint has to deal with it appropriately,
such as by intentional fragmentation. just as is done for IP over
ATM with its 53-byte cell size (RFC 2225).

As implosion cause by multicast PMTUD of IPv6 requires ICMP
PTB black holed, you can expect a lot of black holes.

                                      Masataka Ohta

                --Steve Bellovin, https://www.cs.columbia.edu/~smb

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]