tech-net: enabling MTU discovery

Subject: enabling MTU discovery
To: None <tech-net@netbsd.org>
From: Michael C. Richardson <mcr@sandelman.ottawa.on.ca>
List: tech-net
Date: 01/07/1999 11:44:00
  I have the following topology:
	
	desktop<->firewall<-isdn->ISP<-28.8k->cust-firewall..

  the cust-firewall does NAT and uses proxies, so the internal network is
irrelevant. The 28.8 link has a 576 byte MTU/MRU. 
  desktop, firewall are NetBSD. The ISPs low-speed dedicated box and the
cust-firewall are Linux 2.0.36. (I have root on both)
  I can do:
	ping -D -s 1024 cust-firewall
  and I see the appropriate ICMP must-fragment messages. (My firewall lets
those through)

varrus# ping -D -s 1024 cust-firewall
PING cust-firewall (1.2.3.4): 1024 data bytes
564 bytes from isp.net (3.4.5.6): frag needed and DF set.  Next MTU=16386 for icmp_seq=0
ping: sendto: Message too long
ping: sendto: Message too long
^C
# netstat -r | grep cust-firewall
cust-firewall     209.151.24.17      UGHD        0        2    576  ne2



  What I am not able to do is to get TCP, (e.g. scp of
/usr/share/misc/termcap) to set off the PMTU. I have set
	net.inet.ip.mtudisc = 1
  which I thought would be enough. Watching the data, I do not see it
attempting to send larger packets. This is with 
  NetBSD varrus 1.3I NetBSD 1.3I (XTERM) #7: Sat Dec  5 13:26:56 EST 1998

  Is there somethine else that I need to enable? I *do* delete the route
after the ping experiment. This is what I see with tcpdump:

... bunch of small packets as SSH starts up:
20:04:40.435125 varrus.sandelman.ottawa.on.ca.65523 > cust-firewall.22: . 1496:2032(536) ack 552 win 17520 (DF) [tos 0x8]
20:04:40.435632 varrus.sandelman.ottawa.on.ca.65523 > cust-firewall.22: P 2032:2472(440) ack 552 win 17520 (DF) [tos 0x8]

  So, the window is big enough. The TOS value is something that SSH does, but
I don't think it should affect things... I care about this since I transfer
lots of data to this customer and their link, for geographic reasons is
quite slow, and quite overcomitted.
  Yes, turning off PMTU would get the desired effect (576 byte MTU), but 
I'd like to leave it on for other connections.

   :!mcr!:            |  Network and security consulting/contract programming
   Michael Richardson |         Firewalls, TCP/IP and Unix administration
 Personal: http://www.sandelman.ottawa.on.ca/People/Michael_Richardson/Bio.html
 Corporate: http://www.sandelman.ottawa.on.ca/SSW/
	ON HUMILITY: To err is human, to moo bovine.