Re: IP tunnel MTU

[William Herrin <bill () herrin us>]

On Mon, Oct 29, 2012 at 10:54 AM, Ray Soucy <rps () maine edu> wrote:
> The core issue here is TCP MSS. PMTUD is a dynamic process for
> adjusting MSS, but requires that ICMP be permitted to negotiate the
> connection.  The realistic alternative, in a world that filters all
> ICMP traffic, is to manually rewrite the MSS.  In IOS this can be
> achieved via "ip tcp adjust-mss" and on Linux-based systems, netfilter
> can be used to adjust MSS for example.

Longer term, the ideal solution would be a replacement algorithm that
allows TCP to adjust its MSS with or without negative acknowledgement
from intermediate routers. The ICMP-didn't-get-there problem is only
going to get worse and things like private IPs on routers and
encapsulation mechanisms where the intermediate router isn't dealing
with an IP packet directly are as much at fault these days as foolish
firewall admins.

Perhaps my understanding of end-to-end is flawed, but I suspect it
means that an endpoint shouldn't depend on direct communication with
an intermediate system for its successful communication with another
endpoint.

Maybe something as simple as clearing the don't fragment flag and
adding a TCP option to report receipt of a fragmented packet along
with the fragment sizes back to the sender so he can adjust his mss to
avoid fragmentation.

Regards,
Bill Herrin





-- 
William D. Herrin ................ herrin () dirtside com  bill () herrin us
3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
Falls Church, VA 22042-3004