nanog mailing list archives
RE: IP tunnel MTU
From: "Templin, Fred L" <Fred.L.Templin () boeing com>
Date: Tue, 23 Oct 2012 07:07:17 -0700
Hi Roland,
-----Original Message----- From: Dobbins, Roland [mailto:rdobbins () arbor net] Sent: Monday, October 22, 2012 6:49 PM To: NANOG list Subject: Re: IP tunnel MTU On Oct 23, 2012, at 5:24 AM, Templin, Fred L wrote:Since tunnels always reduce the effective MTU seen by data packets dueto the encapsulation overhead, the only two ways to accommodatethe tunnel MTU is either through the use of path MTU discovery orthrough fragmentation and reassembly. Actually, you can set your tunnel MTU manually. For example, the typical MTU folks set for a GRE tunnel is 1476.
Yes; I was aware of this. But, what I want to get to is setting the tunnel MTU to infinity.
This isn't a new issue; it's been around ever since tunneling technologies have been around, and tons have been written on this topic. Look at your various router/switch vendor Web sites, archives of this list and others, etc.
Sure. I've written a fair amount about it too over the span of the last ten years. What is new is that there is now a solution near at hand.
So, it's been known about, dealt with, and documented for a long time. In terms of doing something about it, the answer there is a) to allow the requisite ICMP for PMTU-D to work to/through any networks within your span of administrative control and b)
That does you no good if there is some other network further beyond your span of administrative control that does not allow the ICMP PTBs through. And, studies have shown this to be the case in a non-trivial number of instances.
b) adjusting your own tunnel MTUs to appropriate values based upon experimentation.
Adjust it down to what? 1280? Then, if your tunnel with the adjusted MTU enters another tunnel with its own adjusted MTU there is an MTU underflow that might not get reported if the ICMP PTB messages are lost. An alternative is to use IP fragmentation, but recent studies have shown that more and more operators are unconditionally dropping IPv6 fragments and IPv4 fragmentation is not an option due to wrapping IDs at high data rates. Nested tunnels-within-tunnels occur in operational scenarios more and more, and adjusting the MTU for only one tunnel in the nesting does you no good if there are other tunnels that adjust their own MTUs.
Enterprise endpoint networks are notorious for blocking *all* ICMP (as well as TCP/53 DNS) at their edges due to 'security' misinformation propagated by Confused Information Systems Security Professionals and their ilk. Be sure that your own network policies aren't part of the problem affecting your userbase, as well as anyone else with a need to communicate with properties on your network via tunnels.
Again, all an operator can control is that which is within their own administrative domain. That does no good for ICMPs that are lost beyond their administrative domain. Thanks - Fred fred.l.templin () boeing com
----------------------------------------------------------------------- Roland Dobbins <rdobbins () arbor net> // <http://www.arbornetworks.com> Luck is the residue of opportunity and design. -- John Milton
Current thread:
- Re: Please, talk me down., (continued)
- Re: Please, talk me down. Nicolai (Oct 17)
- Re: Please, talk me down. Jay Mitchell (Oct 21)
- Re: Please, talk me down. Jay Mitchell (Oct 21)
- Re: Please, talk me down. Nicolai (Oct 21)
- RE: Please, talk me down. Keith Medcalf (Oct 21)
- Re: Please, talk me down. Suresh Ramasubramanian (Oct 21)
- Re: Please, talk me down. Mark Andrews (Oct 21)
- forward and reverse DNS (was: Please, talk me down.) Andrew Sullivan (Oct 22)
- IP tunnel MTU Templin, Fred L (Oct 22)
- Re: IP tunnel MTU Dobbins, Roland (Oct 22)
- RE: IP tunnel MTU Templin, Fred L (Oct 23)
- Re: IP tunnel MTU Ray Soucy (Oct 29)
- RE: IP tunnel MTU Templin, Fred L (Oct 29)
- Re: IP tunnel MTU Ray Soucy (Oct 29)
- Re: IP tunnel MTU Shahab Vahabzadeh (Oct 29)
- Re: IP tunnel MTU William Herrin (Oct 29)
- RE: IP tunnel MTU Templin, Fred L (Oct 29)
- Re: IP tunnel MTU Chris Woodfield (Oct 29)
- RE: IP tunnel MTU Templin, Fred L (Oct 30)
- Re: Please, talk me down. Nicolai (Oct 17)
- Re: IP tunnel MTU Joe Maimon (Oct 29)
- Re: IP tunnel MTU Jared Mauch (Oct 29)