North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Minimum Internet MTU

  • From: Chris Brenton
  • Date: Mon Dec 22 07:54:22 2003

Greetings all,

I'm working with a few folks on firewall and IDS rules that will flag
suspicious fragmented traffic. I know the legal minimum of a
non-terminal fragment is 28 bytes, but given non-terminals should
reflect the MTU of the topologies along the link, this number is far
lower than what I expect you should see for legitimate fragmentation in
the wild.

A few years back I noted some 512-536 MTU links in ASIA. I've been doing
some testing and can't seem to find them anymore. Is is safe to assume
that 99.9% of the Internet is running on 1500 MTU or higher these days? 

I know some people artificially set their end point MTU a bit lower
(like 1400) to deal with things like having their traffic encapsulated
by GRE or IPSec. With this in mind, would we be safe to flag/drop/what
ever all fragments smaller than 1200 bytes that are not last fragments
(i.e., more fragments is still set)? Does anyone maintain, or is aware,
of links that would not meet this 1200 MTU?

Any and all feedback would be greatly appreciated,