1 |
On Sunday 01 Sep 2013 12:17:28 Grant wrote: |
2 |
> > Communications between IPv4 end points use PMTUD by setting a Don't |
3 |
> > Fragment (DF) bit in the headers of the outgoing packet. If a |
4 |
> > router/server along the path has a smaller MTU, it will drop that packet |
5 |
> > and respond with an ICMP 'Destination Unreachable -- Fragmentation |
6 |
> > Needed' packet including its smaller MTU value. Upon receiving this |
7 |
> > smaller packet value the initiating host will dynamically reduce the |
8 |
> > size of the outgoing packets, until the packet arrives at its intended |
9 |
> > destination. PMTUD should always be switched on in any well behaving |
10 |
> > network implementation, but here's the rub: some network nodes, |
11 |
> > firewalls, servers are configured to never respond with *any* ICMP |
12 |
> > packets (because they think that this is a way to avoid DDoS problems |
13 |
> > and the like). Therefore, the initiating host keeps sending large |
14 |
> > packets never knowing that they are dropped on the way. This network |
15 |
> > problem is known as a PMTUD blackhole and is explained better here: |
16 |
> |
17 |
> Could ICMP packets not getting through be to blame for my proxy server |
18 |
> problem? My laptop can't seem to ping anyone (blocked at the firewall |
19 |
> in this hotel I suppose) and certainly the proxy server can't ping my |
20 |
> laptop. |
21 |
|
22 |
Not all ICMP packets are relevant to detecting the MTU of a node. A correctly |
23 |
implemented node will return an ICMP Fragmentation Needed (Type 3, Code 4) |
24 |
packet, with its MTU value. This kind of ICMP packets should not be blocked |
25 |
at firewalls. Use ping with the do not fragment option to see if packets |
26 |
above a certain size time out, i.e. they are dropped by some offending node on |
27 |
the way. |
28 |
|
29 |
ping -c 6 -n -M do -s 1472 <server_address> |
30 |
|
31 |
This will send 6 packets to your server's address having set the do not |
32 |
fragment bit. The packet payload size is set at 1472 to allow for 28 bytes |
33 |
that are taken up by the IP and ICMP header data. So the total packet size |
34 |
would be 1472+28=1500, the usual ethernet packet size. |
35 |
|
36 |
If the MTU of the server is less than 1500 bytes, you will get a response |
37 |
containing "Frag needed and DF set", otherwise you will get pong responses, |
38 |
like e.g. |
39 |
|
40 |
1480 bytes from XXX.XX.XXX.XXX: icmp_seq=1 ttl=121 time=66.5 ms |
41 |
|
42 |
If there is a black hole in the circuit you will be getting timeouts. Start |
43 |
reducing the size of the packet if you are getting time outs, say by 10 bytes |
44 |
at a time. When you arrive at or below the corresponding size of the MTU of a |
45 |
blackhole you will start getting responses. |
46 |
|
47 |
Of course, if the hotel's firewall is blocking all outgoing/incoming pings |
48 |
this sort of diagnostic test will not be useful. |
49 |
-- |
50 |
Regards, |
51 |
Mick |