Re: Small TCP packets == very large overhead == DoS?

[Darren Reed <avalon () coombs anu edu au>]

In some mail from Russ, sie said:
> -----BEGIN PGP SIGNED MESSAGE-----
>
> According to MSDN, NT 3.5/3.51/4.0 and Windows 2000 implement a
> minimum MSS of 68 bytes (found under the discussion of PMTU and RFC
> 791 and 1191), as prescribed by RFC 791.

I think some people are not understanding the difference between the
TCP MSS and IP's MTU.  Either that or both you and David LeBlanc are
grasping at straws in order to make WindowsNT look better ;)

MTU and Path MTU (PMTU) discovery are not the same as TCP's MSS but they
can and do impact it.

I'll repeat, in testing, I managed to get NT4.0 (workstation) to accept
a TCP MSS of 1 (sent lots of data packets out that had 1 byte of data)
and I got Win2000 to accept an MTU of 69 (effective MSS of 17 after TCP
options) through PMTU discovery.

Now, if 20+68 is the reason why 88 is the minimum MSS Win2000 will
accept then someone doesn't understand what the word "MTU" means because
it referes to the TOTAL IP datagram length, not the data part.

Given all of the above, the suggestion both you and David LeBlanc made
that Windows fixed things at a default of 576 when PMTU discovery was
enabled is not true and I proved this in testing.  It would also be an
incorrect implementation if it were true so the MS guys have done the
right thing here.  Furthermore, if it worked like the documentation
suggested it did then PMTU discovery would break if it went over a
connection with an MTU under 576 (possible).  What is magic about the
number 576 is that the host requirement RFC's say that all IP
iplementations must be able to put back together a fragmented packet
that is 576 bytes in length (RFC1122:3.3.2).

Using the C program I posted, I was able to get Win2000 to create a
MTU specific path to a local box where the MTU was 69.  That's well
under any number over 500 (depending on how you choose to see the
value).

The registry setting both you and David have mentioned is the same as
these controls elsewhere:

NetBSD - sysctl net.inet.ip.mtudisc
Solaris - ndd /dev/ip ip_path_mtu_discovery

and so on.  Essentially, on both of those platforms all it does is
control whether the "don't fragment" bit (0x4000) is set in the IP
offset field.

Path MTU discovery has absolutely no interaction with the TCP MSS
except that one would expect it to be used if a cached path already
existed to a host, with an MTU specific for it set, when initiating
or accepting a new TCP connection.  Well, maybe I'm being a bit
strong on the "no" bit.

I *DID* search MSDN for any information on TCP MSS settings in the
registry *BEFORE* posting the email.  I get the same lack of an
answer on how to set a minimum acceptable MSS now as I did then.
FWIW, I've got a copy of the TCP/IP parameters in WinNT on my desk
right here beside me.

> ============================================================
> EnablePMTUDiscovery     REG_DWORD     0 | 1
>
> Default: 1
>
> Determines whether TCP uses a fixed, default maximum transmission unit (MTU)
> or attempts to detect the actual MTU.
>
> Value   Meaning
> 0       TCP uses an MTU of 576 bytes for all connections to computers
>         outside the local subnet.
> 1       TCP attempts to discover the MTU of the path to a remote host.
> By discovering the Path MTU and limiting TCP segments to this size, TCP can
> eliminate fragmentation at routers along the path that connects networks
> with different MTUs. Fragmentation reduces TCP throughput and increases
> network congestion.
>
> Note
>
> Windows NT does not add this value to the Registry. You can add it by

What that should say is:
0         TCP uses an MTU of 576 bytes for setting the initial maximum
          segment size for communicating with remote hosts.

I guess what it currently says _is correct_ but the way it is being said
is confusing for the reader if you do not understand what they mean by
"use".  In this context it does not mean for the lifetime of the connection,
only the initial setup (calculate MSS value for packets where the SYN flag
is set).

> Also, there's the registry key;
>
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\
> EnablePMTUDiscovery = 0 (DWORD)
>
> EnablePMTUDiscovery: completely enables or disables the PMTU
> discovery mechanism. When PMTU discovery is disabled, an MTU of 576
> bytes is used for all non-local destination addresses. PMTU discovery
> is enabled by default.
>
> This would enforce a minimum MSS of 536.
>  
> Finally, in the registry key under a specific interface;

Again the wrong conclusion to what this means has been arrived at.  It
means the MSS is 536 when the TCP connection is started and packets with
the SYN bit and MSS option are being sent.  It definately does not mean
"enforce a minimum MSS of 536 for the lifetime of a connection".

Darren