{"id":1577,"date":"2012-08-13T15:28:01","date_gmt":"2012-08-13T14:28:01","guid":{"rendered":"http:\/\/mccltd.net\/blog\/?p=1577"},"modified":"2012-08-16T14:00:06","modified_gmt":"2012-08-16T13:00:06","slug":"path-mtu-discovery-pmtu","status":"publish","type":"post","link":"http:\/\/darenmatthews.com\/blog\/?p=1577","title":{"rendered":"Path MTU Discovery (PMTU)"},"content":{"rendered":"<p><strong>An aide-memoir for PMTU operation.<\/strong><br \/>\nUsually, the path MTU is determined using MTU Path Discovery.  Usually,  two hosts can dynamically negotiate the path MTU (e.g. client and server ) but networks that contain firewalls or tunnels (VPN, GRE,  IPSec transport mode) sometimes require tuning the MTU values manually.<!--more--><\/p>\n<p>Determine MTU manually by sending ICMP pings with different lengths, with the \u201cDo Not Fragment\u201d bit set.\u00a0 For example:<\/p>\n<ul>\n<blockquote>\n<li>ping\u00a0 10.64.8.62 -M do -s 1464 (note 1464 plus 28 bytes of ICMP header = 1492) \u2013 this failed.<\/li>\n<li>ping 10.64.8.62 -M do -s 1444 (note 144 plus 28 bytes of ICMP header = 1472) \u2013 this passed.<\/li>\n<\/blockquote>\n<\/ul>\n<p>When PMTU is <em>not <\/em>blocked the usual operation during connection establishement between the two hosts involv exchanging their  TCP maximum segment size (MSS) values. The smaller of the two MSS  values is used for the connection.<\/p>\n<ul>\n<li>The MSS for a host is the MTU at the link layer minus 40 bytes for the IP and TCP  headers.<\/li>\n<li> However, support for additional TCP options, such as  timestamps, has increased the typical TCP+IP header to 52 or more bytes:<\/li>\n<\/ul>\n<p><a href=\"http:\/\/darenmatthews.com\/blog\/wp-content\/uploads\/2012\/08\/PMTU.gif\"><img loading=\"lazy\" class=\"aligncenter size-full wp-image-1578\" title=\"PMTU\" src=\"http:\/\/darenmatthews.com\/blog\/wp-content\/uploads\/2012\/08\/PMTU.gif\" alt=\"PMTU\" width=\"326\" height=\"85\" srcset=\"http:\/\/darenmatthews.com\/blog\/wp-content\/uploads\/2012\/08\/PMTU.gif 326w, http:\/\/darenmatthews.com\/blog\/wp-content\/uploads\/2012\/08\/PMTU-300x78.gif 300w\" sizes=\"(max-width: 326px) 100vw, 326px\" \/><\/a><\/p>\n<p>When TCP segments are destined to a non-local network, the &#8220;do not  fragment&#8221; bit is set in the IP header, however any router along the  path may have an MTU that differs from that of the two hosts:<\/p>\n<ol>\n<li> If a media  segment has an MTU that is too small for the IP datagram being routed,  the router will attempt to fragment the datagram accordingly. It will  then find that the &#8220;do not fragment&#8221; bit is set in the IP header.<\/li>\n<li>At  this point, the router should inform the sending host that the datagram  cannot be forwarded further without fragmentation. This is done with  an<strong>ICMP Destination Unreachable<\/strong> message.<\/li>\n<\/ol>\n<p>Most routers will also specify  the MTU that is allowed for the next hop by putting the value for it in  the low-order 16 bits of the ICMP header field that is labeled unused in  the ICMP specification. (See RFC 1191, section 4, for the format of this  message):<\/p>\n<p><a href=\"http:\/\/darenmatthews.com\/blog\/wp-content\/uploads\/2012\/08\/MSS.JPG\"><img loading=\"lazy\" class=\"aligncenter size-full wp-image-1579\" title=\"MSS\" src=\"http:\/\/darenmatthews.com\/blog\/wp-content\/uploads\/2012\/08\/MSS.JPG\" alt=\"MSS\" width=\"573\" height=\"162\" srcset=\"http:\/\/darenmatthews.com\/blog\/wp-content\/uploads\/2012\/08\/MSS.JPG 573w, http:\/\/darenmatthews.com\/blog\/wp-content\/uploads\/2012\/08\/MSS-300x84.jpg 300w\" sizes=\"(max-width: 573px) 100vw, 573px\" \/><\/a>Upon receiving this ICMP error message, TCP adjusts its MSS  for the connection to the specified MTU minus the TCP and IP header  size, so that any further packets sent on the connection will be no  larger than the maximum size that can traverse the path without  fragmentation.<\/p>\n<ul>\n<li>A router along the TCP path of the session (possibly originating a VPN  tunnel) might not support the packet size and since it is not allowed to  fragment the packet, it can request the originator to  reduce the packet size. <span style=\"text-decoration: underline;\"><strong>It does this with an ICMP type 3, code 4 (34)<\/strong><\/span> packet that carries the desired maximum size in a two octet fields  labeled Next-Hop MTU. In this same packet you can also find the sequence  number for the offending packet.<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>Disabling PMTU:<\/strong><\/span><\/p>\n<ul>\n<li>On Linux: echo  1  &gt;\/proc\/sys\/net\/ipv4\/ip_no_pmtu_disc<\/li>\n<li>On Cisco routers:<br \/>\nno ip tcp mtu-path discovery<\/li>\n<\/ul>\n<p><strong>Microsoft Windows <\/strong>servers have registry settings to enable path MTU discovery. If this is not enabled, an MTU value of 576 bytes might be used, which can produce suboptimal network performance when a device communicates with a host outside of its local IP subnet.<\/p>\n<p>You can enable PMTU Discovery using the registry settings in<\/p>\n<blockquote><p><span>HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters<\/span><\/p><\/blockquote>\n<p>The EnablePMTUDiscovery<strong style=\"font-weight: normal;\"> <\/strong> registry value governs whether TCP will attempt to discover the Maximum  Transmission Unit (MTU), or largest packet size for the entire path to a  remote host.<\/p>\n<ul>\n<li>Setting  this parameter to 0 (or off) causes an MTU of 576 bytes to be  used for  all connections to destinations other than the local subnet.<\/li>\n<\/ul>\n<p>By discovering the Path MTU (PMTU) and limiting TCP  segments to this size, TCP can eliminate packet fragmentation at routers  along the path that connect networks with different MTUs. Fragmentation  adversely affects TCP throughput and causes network congestion.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>An aide-memoir for PMTU operation. Usually, the path MTU is determined using MTU Path Discovery. Usually, two hosts can dynamically negotiate the path MTU (e.g. client and server ) but networks that contain firewalls or tunnels (VPN, GRE, IPSec transport mode) sometimes require tuning the MTU values manually.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[1],"tags":[],"_links":{"self":[{"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/1577"}],"collection":[{"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1577"}],"version-history":[{"count":12,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/1577\/revisions"}],"predecessor-version":[{"id":1612,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/1577\/revisions\/1612"}],"wp:attachment":[{"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1577"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1577"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1577"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}