MSS Initiative

What's Here Other Links

Our Letter To Admins

Below is our letter we send to admins of sites that are reported to us.

To Whom it May Concern:

As a frequent visitor of www.example.com, I am writing to tell you that your
site is not reachable from all locations. This is due to what is called the
Path MTU Discovery Blackhole (RFC 2923 -
ftp://ftp.isi.edu/in-notes/rfc2923.txt).

Essentially what is happening is that your site has Path MTU Discovery
(PMTUD) enabled, but is not receiving the ICMP messages that are required
for PMTUD to function properly. This is most likely due to ICMP filtering at
your site, but may be due to a router in between.

One example of this occurrence is users of DSL that use PPPoE. Such customers
have links with an MTU of 1492, but machines behind that link that are
connected via ethernet have an MTU of 1500. A connection between such a
client and your webserver will start off transferring at 1460 (1500-40
headers) since neither side knows about the PPPoE. But the first time your
webserver sends a full size packet (which will have the "Don't Fragment" bit
set as is required in PMTUD), it won't fit through the PPPoE pipe. At that
point the router on the ISP's side of the PPPoE tunnel will send an ICMP
type 3 code 4 saying "Fragmentation is needed, but you have the Don't
Fragment bit set, please send smaller packets." However, your webserver is
not getting this packet. This is most likely being dropped by one of your
firewalls, although it is possible a router in front of you, such as your
provider, is actually dropping them.

There are two solutions to this problem:

A) Allow ICMP type 3 code 4 messages to reach the webserver
B) Turn off Path MTU Discovery on the web server

Solution A enables your webserver to use the right MSS, and
does not pose a security threat, see
  http://www.giac.org/certified_professionals/practicals/gsec/0719.php
Solution B will allow the ISP router to fragment the packets.
Solution A is highly preferred as fragmentation will lead to poorer
performance.

For more information, and an explanation of terms and abbreviations read:
ftp://ftp.isi.edu/in-notes/rfc2923.txt
http://www.phildev.net/mss/

Thank you,
Phil Dibowitz
Richard van den Berg
mss@ipom.com


Valid XHTML 1.0

This page is © Phil Dibowitz 2001 - 2009