port-macppc: Re: Networking question MTU on non-local nets

Subject: Re: Networking question MTU on non-local nets
To: None <port-macppc@netbsd.org>
From: der Mouse <mouse@Rodents.Montreal.QC.CA>
List: port-macppc
Date: 06/14/2003 16:23:00

> Unless you have PMTU turned on, using an ethernet MTU out "in the
> internet" is not safe.

Why not?  For what value of 'safe"?

> [...MSS value from options in SYN...]  Either of these is likely to
> be larger than the smallest MTU on the routers in the path.

Right.

> If you hit a small packet router (i.e. PPPoE, VPN, etc) the
> fragmented or oversized packets effectively get silently dropped.

If they're sent with DF clear, routers are supposed to fragment as
necessary.  If you have DF set, routers are supposed to send back an
"unreachable - fragmentation needed but DF set" ICMP.

Neither one is "silently dropped".  If you're seeing silent drops,
something is broken somewhere.

>>> I have also learned that MTU path discovery is an option, but this
>>> is not on by default, and I am a little afraid of it.
>> I have it enabled on all my servers, and I didn't notice problems.
> Thanks.  I've turned it on, too.

Be careful.  If you have any packet filtering, make sure it lets
through the ICMPs I described above.  It's very common, in my
experience, for webservers and mailhosts to have PMTU-D on but be
behind something that apparently drops the ICMPs that drive PMTU-D.
Back when I was behind a low-MTU link, I regularly saw hosts connecting
to me and doing protocol until they wanted to send bulk data, at which
poin tthe connectino locked up.  tcpdumping outside the low-MTU link (I
was fortunate in that I had such access) revealed that I'd get a large
packet, send back the ICMP, wait, get the same size packet, send back
another ICMP, lather-rinse-repeat until the far end decides I've gone
dead and gives up.

I've sent out numerous emails about it, but the only case where I ever
got anything fixed was one where I personally knew the sever's admin,
and even then it took a good deal of tweaking and retesting with a
parallel comm channel open between us.

It's pretty close to the point where I'd say that such configs have
broken things enough that the de-facto minimum MTU on the net is 1500.

/~\ The ASCII				der Mouse
\ / Ribbon Campaign
 X  Against HTML	       mouse@rodents.montreal.qc.ca
/ \ Email!	     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B