CCIE 400-101: Network Principles - IPv4 and IPv6 PMTU, MSS

MSS

• The TCP Maximum Segment Size (MSS) defines the maximum amount of data that a host is willing to accept in a single TCP/IP datagram.
• The MSS value is sent as a TCP header option only in TCP SYN segments.
• Each side of a TCP connection reports its MSS value to the other side.
• Contrary to popular belief, the MSS value is not negotiated between hosts. The sending host is required to limit the size of data in a single TCP segment to a value less than or equal to the MSS reported by the receiving host.
• The way MSS now works is that each host will first compare its outgoing interface MTU with its own buffer and choose the lowest value as the MSS to send.
• The hosts will then compare the MSS size received against their own interface MTU and again choose the lower of the two values.
• Often the send MSS value will be the same on each end of a TCP connection.
• By default, the MSS = 1460 bytes in an Ethernet network (1500 bytes - 20-byte IP header - 20-byte TCP header = 1460 bytes).
• TCP MSS takes care of fragmentation at the two endpoints of a TCP connection, but it doesn't handle the case where there is a smaller MTU link in the middle between these two endpoints.

PMTU

• Path MTU (PMTU) is the smallest MTU in the path from source to destination.
• Path MTU Discovery (PMTUD) was developed to avoid fragmentation in the path between the endpoints. It is used to dynamically determine the lowest MTU along the path from a packet's source to its destination.  
• PMTUD is only supported by TCP. UDP and other protocols do not support it. 
• If PMTUD is enabled on a host, and it almost always is, all TCP/IP packets from the host will have the DF bit set. 
• If a router tries to forward an IP datagram, with the DF bit set, onto a link that has a lower MTU than the size of the packet, the router will drop the packet and return an Internet Control Message Protocol (ICMP) "Destination Unreachable" message to the source of this IP datagram, with the code indicating "fragmentation needed and DF set" (type 3, code 4).
• A router returning an ICMP message indicating "fragmentation needed and DF set" should include the MTU of that next-hop network in the low-order 16 bits of the ICMP additional header field that is labeled "unused" in the ICMP specification. The high-order 16 bits remain unused, and MUST be set to zero.  Thus, the message has the following format:

       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |   Type = 3    |   Code = 4    |           Checksum            |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |           unused = 0          |         Next-Hop MTU          |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |      Internet Header + 64 bits of Original Datagram Data      |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

• When the source station receives the ICMP message, it will lower the packet size to reflect the smaller MTU. 
• There are three things that can break PMTUD, two of which are uncommon and one of which is common.
  
  • A router can drop a packet and not send an ICMP message. (Uncommon)
  • A router can generate and send an ICMP message, but the sender ignores the message. (Uncommon)
  • A router can generate and send an ICMP message but the ICMP message gets blocked by a router or firewall between this router and the sender. (Common) 
• The success or failure of PMTUD hinges upon ICMP unreachable messages getting through to the sender of a TCP/IP packet. 
• The following commands will enable the necessary ICMP messages to pass through a firewall:

access-list 101 permit icmp any any unreachable
access-list 101 permit icmp any any time-exceeded
access-list 101 deny icmp any any
access-list 101 permit ip any any

 

References

Resolve IP Fragmentation, MTU, MSS, and PMTUD Issues with GRE and IPSEC