[AusNOG] PMTUD was -> RE: GRE Tunnel MTU suggestions

Colin Stubbs colin.stubbs at equatetechnologies.com.au
Thu Jul 3 08:06:02 EST 2014


In my experience, which has involved enough MTU related problems to have
left both mental and physical scars; the latter not necessarily on me -
Broken PMTUD is always to do with with over zealous security/server/numpty
Admins who block ICMP entirely, or at least unreachables with all sub types
because they don't even know what unreachables do at a basic level.

I've not seen any O/S that fails to handle PMTUD properly IF still
configured with default settings and a sane host based firewall
configuration.

That said, there's two exceptions:
- NAT implementations not translating ICMP associated with TCP/etc
connections thru to the right host. Generally not a problem on recent
routers/firewalls. Can be if someone has configured something they
shouldn't have, e.g. Can be done on ASA with a configuration command; or
just because you're running buggy code (read: you are most definetly
running very buggy code it might just not be a published bug yet.)

- PMTU Black Hole Detection, e.g. Detection of PMTU when ICMP unreachables
are not received, is another matter. That seems to be O/S implementation
dependent and may or may not be on by default.

Neither of those situations mean PMTUD is inherently broken. It will work
provided the right ICMP messages get to the original sender.


Sent from a mobile device. Correct spelling and accurate use of grammar is
unlikely to have occurred.
On 03/07/2014 7:30 am, "Paul Gear" <ausnog at libertysys.com.au> wrote:

> On 07/02/2014 09:55 AM, Alex Samad - Yieldbroker wrote:
>
>> ...
>> {snip}
>>
>>> PMTUD is better to use, MSS adjusting is a TCP specific hack. Don't
>>> switch it
>>> on unless you need to because PMTUD is broken.
>>>
>>
>> How broken is PMTUD now, I remember back in the day diagnosing a lot of
>> DSL connection that failed because of this.
>>
>
> After my experiences earlier in the year [1], I came to the conclusion
> that PMTUD is always broken, and turned on TCP MSS clamping on all our edge
> routers.
>
> Paul
>
> [1] http://lists.ausnog.net/pipermail/ausnog/2014-February/022606.html
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20140703/9b7a5a7b/attachment-0001.html>


More information about the AusNOG mailing list