|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical RE: Digital Island sponsors DoS attempt?
I don't believe I have it backwards, since RFC1191, the one you quoted, states: "A host doing PMTU Discovery must obey the rule that it not send IP datagrams larger than 576 octets unless it has permission from the receiver." So really, unless it get's permission to send larger packets from the receiver, it'll send them at less than 576 bytes. I imagine this'll all change though whenever IPv6 comes about since the min. MTU size will be (approx.) 1200. As another poster stated, IPv6 requires PMTU, so this could become a nasty little problem. Thanks for the rest of the info on the HOW as I am not quite sure either and your scenarios make sense.. Marc -----Original Message----- From: [email protected] [mailto:[email protected]] Sent: Friday, October 26, 2001 1:46 PM To: Quibell, Marc Cc: [email protected] Subject: Re: Digital Island sponsors DoS attempt? On Fri, 26 Oct 2001 13:19:51 CDT, "Quibell, Marc" said: > path. Nobody I know, nor have I ever had a problem with "PMTU" and shutting > off ICMP routing. And no I do not believe it is used across the internet, Some of us *have* seen it. > and if it does, it is probably hindering performance since it's probably > using a lower mtu than is allowed, such as 576 or smaller. It would also > have problems running across multi-level routing hierarchies. You have this backwards. RFC791, section 2.1, says: impractical for most hosts and networks. All hosts must be prepared to accept datagrams of up to 576 octets (whether they arrive whole or in fragments). It is recommended that hosts only send datagrams larger than 576 octets if they have assurance that the destination is prepared to accept the larger datagrams. The number 576 is selected to allow a reasonable sized data block to be transmitted in addition to the required header information. For example, this size allows a data block of 512 octets plus 64 header octets to fit in a datagram. The maximal internet header is 60 octets, and a typical internet header is 20 octets, allowing a margin for headers of higher level protocols. So if you're on a LAN that the MTU is 1500, you can be reasonably sure that the other end can catch 1500 byte packets. If you're *leaving* the subnet, you have only send 576-byte packets unless you have reason to believe you can send bigger (PMTU discovery). Some sites just blindly send 1500 bytes anyhow, and *hope* that things get fragmented - but *THAT* behavior is actually against-standard. So the two most prevalent ways to cut the number of packets by 65% or so are to use PMTUd, or to blindly throw 1500 and hope it works..... > Finally, I do not believe PMTU uses pings to discover the PMTU. I believe it > uses TCP or UDP packets at the layers above IP, and it DOES use "ICMP Packet RFC1191 is silent on HOW to do it. IBM specifically chose to use ICMP ECHO to test, rather than the TCP packets, so that PMTU discovery could be done *before* it might actually be needed (since many TCP applications such as SMTP and HTTP don't send a full MTU-sized packet right off the bat because the first few packets are doing negotiation - if you can do PMTU discovery in parallel with that, it can be a win - if you hit a 'frag needed' only after several packets, you get to flush the slow-start timers, retransmit, and a lot of other ugliness.... -- Valdis Kletnieks Operating Systems Analyst Virginia Tech
|