Path MTU Discover (PMTUD) from herein is a technique for determining the MTU size on a network path beetween 2 IP addresses; the source IP and the destination IP (reference the previous blog post on TCP flows).
The network path is the path in which the packets/datagrams have to traverse in order get from sourceip:port to destinationip:port. This path can include router interfaces, firewall interfaces, switch interfaces, etc. All of which will have an MTU value (Maximum Transmission Unit). This MTU value is simply a filter, which if the packet exceed it will be dropped. Say for example, the router interface we are going via has an MTU of 1422 (this is in bytes). If we transmit packets with a size of 1522, the packets will either be dropped if the sending TCP stack has the DF (Dont Fragment) bit set; or the packet will be fragmented which does affect network performance.
Now the problem is you need to either set all MTU’s to a fixed value on your ethernet LAN (1500, for example) and then ensure all packets transmitted comply with this, accept that fragmentation will happen – for example when using an MTU of 9000 with jumbo frames, or use PMTUD.
PMTUD is relatively simple in its complexity. If enabled, the packet will be sent out with a size of 1522. When it hits the interface with a MTU 1422, which it cannot pass through, the packet is dropped and a message is sent back to the sender saying “It was too big, the MTU of the interface was 1422”. The sender will then update their MTU to 1422, and re-send. It will now pass through the first interface as its size is now =< 1422.
It does this repeatedly until it reaches the destination IP; once it can achieve such a path it can be said the path MTU is 1422 (if no further interfaces with lower MTU’s are found).
Delving a little more into the details, the way this “It was too big, the MTU of the interface was 1422” message is relayed back to the source IP is via ICMP. The router will send an ICMP “Fragmentation Needed” message back to the source IP, containing the MTU value in question (1422). The ICMP “Fragmentation Needed” message, for reference, is Type 3, Code 4.
The problem with such a feature is the fact that ICMP is often misunderstood and misconfigured. Some security personnel see it as the devil and as such block all ICMP. If this happens, the connections will complete at a TCP level (SYN, SYNACK, ACK) and establish a flow, however the connection will “hang” when the data begins transfer. This state is often referred to as a “black hole connection”. Therefore i stress that if you are indeed going to use PMTUD, ensure that the ICMP path beetween hosts is also clear and alive.
Sam