[137526] in North American Network Operators' Group
Re: NIST and SP800-119
daemon@ATHENA.MIT.EDU (Jared Mauch)
Tue Feb 15 16:32:23 2011
From: Jared Mauch <jared@puck.nether.net>
In-Reply-To: <AANLkTimY3JNVW7CEJxkEWZ5=7J6Mm20VMspUfZC0aduy@mail.gmail.com>
Date: Tue, 15 Feb 2011 16:31:07 -0500
To: William Herrin <bill@herrin.us>
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Feb 15, 2011, at 10:36 AM, William Herrin wrote:
> On Tue, Feb 15, 2011 at 10:09 AM, Joe Abley <jabley@hopcount.ca> =
wrote:
>> On 2011-02-14, at 21:41, William Herrin wrote:
>>> On Mon, Feb 14, 2011 at 7:24 PM, TR Shaw <tshaw@oitc.com> wrote:
>>>> Just wondering what this community thinks of NIST in
>>>> general and their SP800-119 (
>>>> http://csrc.nist.gov/publications/nistpubs/800-119/sp800-119.pdf )
>>>> writeup about IPv6 in particular.
>>>=20
>>> Well, according to this document IPv4 path MTU discovery is,
>>> "optional, not widely used."
>>=20
>> Optional seems right. Have there been any recent studies on how =
widely pMTUd is actually used in v4?
>=20
> Hi Joe,
>=20
> Are you aware of a TCP implementation in an OS that shipped within the
> last decade but doesn't enable IPv4 pMTUd by default? Each version of
> Windows and all the major unixes use it on every TCP connection unless
> you explicitly turn it off.
IOS does not support it unless explicitly turned on. It will result in =
decreased network performance for some things (eg: BGP Updates) as the =
negotiated mss will be really small.
They likely don't want to change some sacred default either as it would =
break other things. If you run larger than ~500 mtus internally, you =
may want to enable 'ip tcp path-mtu-discovery' and watch your BGP =
convergence improve significantly.
Router#sh ip bgp neighbors | inc max data segment
Broken setups will show something like this:
Datagrams (max data segment is 1240 bytes):
Datagrams (max data segment is 516 bytes):
Datagrams (max data segment is 536 bytes):
Others may show something much larger depending on your infrastructure.
IMHO, path-mtu-discovery is REQUIRED, not optional. Anyone saying =
otherwise has a broken network and you should not give them your money.
- Jared=
