Subject: Re: Patch for timiting TCP MSS (i.e. for new PPPoE)
To: Steven M. Bellovin <>
From: Rick Byers <>
List: current-users
Date: 12/03/2001 15:46:03
On Mon, 3 Dec 2001, Steven M. Bellovin wrote:

> Routers shouldn't tinker with MSS's.  If nothing else, that won't work
> for non-TCP protocols or in the presence of IPsec.  The right answer is
> PMTU, and routers that see a small outbound link should emit the proper
> packet.  In particular, PPPoE routers tend to be user premises
> gateways, which should allay any security concerns.

Right, routers SHOULDN'T tinker with MSS's, but thousands of sites on the
net SHOULDN'T enable PMTU discovery and configure their router to block
all ICMP messages.  If you've got a network of Windows machines behind a
PPPoE router, the only alternative to MSS clamping is lowering the MTU of
all your Windows machines which causes degraded LAN performance.

Broken networks will allways require ugly hacks to work around their