[150295] in North American Network Operators' Group
Re: Common operational misconceptions
daemon@ATHENA.MIT.EDU (Steven Bellovin)
Mon Feb 20 22:45:30 2012
From: Steven Bellovin <smb@cs.columbia.edu>
In-Reply-To: <4F430F1E.7080208@necom830.hpcl.titech.ac.jp>
Date: Mon, 20 Feb 2012 22:44:36 -0500
To: Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Feb 20, 2012, at 10:27 PM, Masataka Ohta wrote:
> Steven Bellovin wrote:
>
>>> Timer timeouts do not affect TCP MSS.
>
>> RFC 2923:
>> TCP should notice that the connection is timing out. After
>> several timeouts, TCP should attempt to send smaller packets,
>> perhaps turning off the DF flag for each packet. If this
>> succeeds, it should continue to turn off PMTUD for the connection
>> for some reasonable period of time, after which it should probe
>> again to try to determine if the path has changed.
>
> So?
>
>> It's Informational, not standards track, but the problem
>> -- and the fix -- have been known for a very long time.
>
> I'm not sure what, do you think, is the problem, because the
> paragraph of RFC2923 you quote has nothing to do with TCP
> MSS.
Sure it does. That's in 2.1; the start of it discusses PMTUD
failing for various reasons including firewalls.
>
> The relevant section of the RFC (relevant to MSS) should be:
>
> The MSS should be determined based on the MTUs of the interfaces on
> the system, as outlined in [RFC1122] and [RFC1191].
>
> which means MSS is constant.
The text I quoted says, in so many words, "send smaller packets".
I don't know how it's possible to be more explicit than that.
>
> Note also that the next paragraph (next to the paragraph you
> quote) of the RFC eventually says to use PMTU of 1280B for
> IPv6 if there are black holes. It is not a very good thing
> to do especially for IP over IP tunnels, because 1280B
> packets are always fragmented if they are carried over a
> tunnel with MTU of 1280B.
Please cite in context. The text I quoted says that one option
is to try turning off DF; the next paragraph notes that you can't
do that on v6. It also doesn't say to to use PMTU of 1280, it
says that that's a good fallback, and notes that v6 support requires
that. Although it doesn't say so, I'll note that IP in IP makes the
outer IP effectively a link layer for the inner IP; as such, it has
to preserve all of the relevant properties including a link MTU of
1280. If that doesn't work -- though it most likely will, since
the most common hardware MTU is from the ancient 1500 byte Ethernet
size -- the outer IP endpoint has to deal with it appropriately,
such as by intentional fragmentation. just as is done for IP over
ATM with its 53-byte cell size (RFC 2225).
>
> As implosion cause by multicast PMTUD of IPv6 requires ICMP
> PTB black holed, you can expect a lot of black holes.
>
> Masataka Ohta
>
--Steve Bellovin, https://www.cs.columbia.edu/~smb
