Subject: Re: Does this ring a bell?
To: Manuel Bouyer <bouyer@antioche.lip6.fr>
From: Steven M. Bellovin <smb@research.att.com>
List: netbsd-users
Date: 07/20/2000 19:23:57
In message <20000720235146.A603@antioche.eu.org>, Manuel Bouyer writes:
>Note that 208.185.160.9 ansers with the DF bit set.
>What's the MTU of you ppp interface (ifconfig ppp0 while ppp is running should
>tell you) ?
>Clearly the remote end is doing path MTU discovery, but some site are
>missconfigured for this: their servers are configured to do path MTU discovery
>but they block all ICMP packets, which breaks path MTU discovery (the remote
>end thinks the packet is lost and tries to retransmit it as is, instead of
>trying a smaller one).
>Windows, and I think recent linux have path MTU discovery turned on.
>The only "fix" you can do at your end is to bump the ppp mtu to 1500.
Umm -- I doubt it. When the small MTU is on an endpoint, as opposed to
some intermediate link, the host notices it and cranks down the MSS.
This limits the size of incoming TCP segments.
If, however, there is some link along the path with a small MTU -- for
me, it's an IPsec tunnel -- you can indeed get into trouble if some
firewall blocks the ICMP message used by Path MTU. The solution in
this case might be to use a *lower* MTU on the PPP link, precisely to
force a smaller MSS and hence smaller packets.
--Steve Bellovin