Path MTU Discovery

Path MTU Discovery (PMTUD) is a standardized technique in computer networking for determining the maximum transmission unit (MTU) size on the network path between two Internet Protocol (IP) hosts, usually with the goal of avoiding IP fragmentation. PMTUD is performed by routers in Internet Protocol Version 4 (IPv4),[1] while in IPv6 this function has been delegated to the end points of a communications session.[2]

Path MTU Discovery works by setting the Don't Fragment (DF) option bit in the IP headers of outgoing packets. Then, any device along the path whose MTU is smaller than the packet will drop it, and send back an Internet Control Message Protocol (ICMP) Fragmentation Needed (Type 3, Code 4) message containing its MTU, allowing the source host to reduce its Path MTU appropriately. The process repeats until the MTU is small enough to traverse the entire path without fragmentation.

If the Path MTU changes after the connection is set up and is lower than the previously determined Path MTU, the first large packet will cause an ICMP error and the new, lower Path MTU will be found. Conversely, if PMTUD finds that the path allows a larger MTU than is possible on the lower link, the OS will periodically reprobe to see if the path has changed and now allows larger packets. On Linux this timer is set by default to ten minutes,[3] and can be changed in /proc/sys/net/ipv4/route/mtu_expires.

Contents

Problems with PMTUD

Many network security devices block all ICMP messages for perceived security benefits,[4] including the errors that are necessary for the proper operation of PMTUD. This can result in connections that complete the TCP three-way handshake correctly, but then hang when data is transferred. This state is referred to as a black hole connection.[5]

Some implementations of PMTUD attempt to prevent this problem by inferring that large payload packets have been dropped due to MTU rather than because of link congestion. However, in order for the Transmission Control Protocol (TCP) to operate most efficiently, ICMP Unreachable messages (type 3) should be permitted. A robust method for PMTUD that relies on TCP or another protocol to probe the path with progressively larger packets has been standardized in RFC 4821.[6]

A workaround used by some routers is to change the maximum segment size (MSS) of all TCP connections passing through links with MTU lower than the Ethernet default of 1500. This is known as MSS clamping.[7]

See also

References

  1. ^ RFC 1191, Path MTU Discovery, J. Mogul, S. Deering (November 1990)
  2. ^ RFC 1981, Path MTU Discovery for IP version 6, J. McCann, S. Deering, J. Mogul (August 1996)
  3. ^ linux source code see line with "mtu_expires" 10 * 60 seconds
  4. ^ "Prevent hacker probing by blocking ICMP traffic". http://www.zdnet.com.au/prevent-hacker-probing-by-blocking-icmp-traffic-120280325.htm. 
  5. ^ RFC 2923, TCP Problems with Path MTU Discovery, K. Lahey (September 2000)
  6. ^ RFC 4821, Packetization Layer Path MTU Discovery, M. Mathis, J. Heffner (March 2007)
  7. ^ "Circumventing Path MTU Discovery issues with MSS Clamping". http://lartc.org/howto/lartc.cookbook.mtu-mss.html. 

External links