Subject: Re: Patch for timiting TCP MSS (i.e. for new PPPoE)
To: Rick Byers <>
From: Steven M. Bellovin <>
List: current-users
Date: 12/03/2001 12:18:56
In message <Pine.NEB.4.33.0112031151580.4384-100000@Apenheul.BigScaryChildren.n
et>, Rick Byers writes:
>On Mon, 3 Dec 2001, Martin Husemann wrote:
>> Which still means you have to do it for each and every machine behind a
>> pppoe router. It's hard to cope from our understanding of standards
>> conformance, but we *realy* need a MSS clamping option for routers!
>> I've been dealing with completely clueless firewall admins at a client
>> for a few weeks now and just punted.
>I definantly agree.  Mike Pelley <>, is implementing
>in-kernel MSS clamping.  Anyone know if other OSes handle this directly in
>the TCP stack?  Since the problem applies to more than just PPPoE
>connenctions, and more than just ipnat setups - it makes sense to me to
>upport MSS clamping in the TCP stack directly.  However, I'm not aware of
>any other OS that does this.
Routers shouldn't tinker with MSS's.  If nothing else, that won't work 
for non-TCP protocols or in the presence of IPsec.  The right answer is 
PMTU, and routers that see a small outbound link should emit the proper 
packet.  In particular, PPPoE routers tend to be user premises 
gateways, which should allay any security concerns.

		--Steve Bellovin,
		Full text of "Firewalls" book now at