Subject: Re: Patch for timiting TCP MSS (i.e. for new PPPoE)
To: Rick Byers <>
From: Steven M. Bellovin <>
List: tech-net
Date: 12/02/2001 22:04:05
In message <Pine.NEB.4.33.0112022145110.1820-100000@Apenheul.BigScaryChildren.n
et>, Rick Byers writes:
>On Sun, 2 Dec 2001, Steven M. Bellovin wrote:
>> >In order to work around buggy networks suffering from the PMTU blackhole
>> >problem (see RFC 2923), I've written up a quick patch which adds a sysctl
>> >to limit the advertised TCP MSS (I this this is preferable to lowering
>> >the interface MTU).  Ideally, this could be configured per interface or
>> >per route, or even auto-detected on a host-by-host basis - but all of
>> >those options require much more work.
>> But the problem is that a per-connection fix requires changing every
>> application.  I don't think that that scales.
>I said per host, not per connection - it certainly shouldn't have anything
>to do with the application level.  As for per host, I was thinking of just
>keeping a table similar to the pmtu discovery table, which indicates that
>a host is suspected of being blackholed and that an artificially low MSS
>should be used for it.  Of course, making that determination could only be
>an ugly hack and probably error prone.  This is probably even uglier than
>the TCP MSS clamping that most PPPoE software does, and so not really
>worth pursuing.

Ah -- I misread your note.  I suspect that the right answer, though
perhaps more work, is to put it in the routing table.  Among other 
things, that would allow a single MSS to be associated with the default 
route, or with any host or subnet by creating a route with a longer 
prefix and associating the smaller MSS with that route.  

		--Steve Bellovin,
		Full text of "Firewalls" book now at