Fragmentation , MSS , PMTUD

Fragmentation and TCP MSS , MPTUD :

TCP Maximum segment size and TCP Path MTU Discovery play important role in fragmentation.

Let us see first about TCP MSS

TCP maximum segment size defines maximum amount of data receiver is willing to accept in single TCP/IP stream .

How MSS is calculated for TCP/IP stream :

MSS calculation is done based on buffer size in both server and client side

During TCP/IP connection setup , The SYN segment contains MSS option. If machine does not want to mention MSS , a default of 536 bytes is assumed.

The default value of 536 is derived from 576 minus 40 bytes of header which includes 20 bytes of each ip and tcp header.

Please note that MTU of dial up connection is 576

Diagram :

1 . Host A sends MSS of 16 k

2 S 2 . Server receives SYN and sets send MSS of host A to 16k

3 S 3 . Server sends MSS of 8k

4 H4. Host A receives and sets send MSS of server to 8k.

Here MSS is based on minimum buffer size and MTU.

Sender compares both MSS and MTU and will take lowest value as MSS . MSS is MTU-40 as mentioned earlier.The hosts will compare the MSS size received against MTU and choose lowest.

Here let us take Host A .

Host A has MSS of 16 k and MTU of 1500 . Now it chooses 1500.

When it receives packet from server with MSS of 4422 , again it will compare with MSS and choose lowest.

Please note that TCP MSS takes care of fragmentation at both ends but not at intermediate networks as it does not take care of lower MTU interfaces . So to avoid that , Path MTU discovery was introduced.

Path MTU discovery :

PMTUD is used to dynamically determine the path MTU along the path from source to destination.

If PMTUD is enabled , all TCP/IP packets from the host has DF bit set.

Please note that PMTUD is supported only on TCP and the ip tcp path-mtu-discovery is used to enable PMTUD for TCP connections.

PMTUD is done independently of both directions of TCP flow.In some cases , the trigger of

PMTUD Will lower the MSS of one side and other side keeps the original send MSS because it

never sent an

IP datagram large enough to trigger PMTUD

PMTUD uses the ICMP error message which includes next hop MTU . This next hop MTU

determines MSS of TCP/IP machines.


Scenario 1:

Here client uses default MSS and server uses MSS of 1500. So here Server triggers for PMTUD.

Scenario 2 :

Here packets from client are routed via routers And B . packets from server are routed via Routers C and D.

So there is no need of PMTUD trigger from Client side since it will never receive ICMP error message “Destination unreachable” with code indicating “Fragmentation needed and DF bit set “

Problems with PMTUD

3 things than can break PMTUD and two things are uncommon.

1 A 1 . router can drop packets and does not send ICMP error message (uncommon)

2 A 2 . router can drop and send icmp error message but sender ignores the message(uncommon)

3 A 3 . router can drop and send icmp error message but blocked by firewall or router with acl (Common)

So acl configuration given below needs to be configured.

Access-list 101 permit icmp any any unreachable

Access-list 101 permit icmp any any time-exceeded

Access-list 101 deny icmp any any

Access-list 101 permit ip any any

There are some other techniques that can be used to help alleviate the ICMP blocking .

1 . Clear the DF bit on the router and allow fragmentation .. But fragmentation will trigger some issues

2 . Manipulate the TCP MSS option value using the interface command ip tcp adjust-mss <500-1460>

Fragmentation issues :

1 . Needs more CPU and memory for fragmentation and reassembly

2 . Dropping of single fragment enables retransmission of entire datagram and it leads to fragmentation again

3 . Firewalls may have problem in processing the fragmented packets as firewall uses L4 to L7 details.

If the IP fragments are out of order , a firewall may block the non initial fragments because they do not carry the information that would match the filter.This causes reassembly failed.If firewall is configured to allow non initial packets , attack through non initial packets could occur.

Common network topologies that need PMTUD :

1 . Token ring – where MTU is larger that MTU of Ethernet

2 . PPPoE (ofter used with ADSL) needs 8 bytes for its header . This reduces effective MTU of Ethernet to (1500-8) 1492 bytes

Tunnels like GRE , IPSec and L2TP needs space for their headers and trailer .. so it obviously reduces the effective MTU of the interfaces

What is Tunnel :

A tunnel is logical interface that provides a way to encapsulate passenger packet inside a transport protocol.

Comments

Popular posts from this blog

URL FILTERING IN FORTIGATE

URL FILTERING IN PALO ALTO FIREWALL

Fragmentation and GRE tunnels