| 1 |
On Sunday 01 Sep 2013 12:17:28 Grant wrote: |
| 2 |
> > Communications between IPv4 end points use PMTUD by setting a Don't |
| 3 |
> > Fragment (DF) bit in the headers of the outgoing packet. If a |
| 4 |
> > router/server along the path has a smaller MTU, it will drop that packet |
| 5 |
> > and respond with an ICMP 'Destination Unreachable -- Fragmentation |
| 6 |
> > Needed' packet including its smaller MTU value. Upon receiving this |
| 7 |
> > smaller packet value the initiating host will dynamically reduce the |
| 8 |
> > size of the outgoing packets, until the packet arrives at its intended |
| 9 |
> > destination. PMTUD should always be switched on in any well behaving |
| 10 |
> > network implementation, but here's the rub: some network nodes, |
| 11 |
> > firewalls, servers are configured to never respond with *any* ICMP |
| 12 |
> > packets (because they think that this is a way to avoid DDoS problems |
| 13 |
> > and the like). Therefore, the initiating host keeps sending large |
| 14 |
> > packets never knowing that they are dropped on the way. This network |
| 15 |
> > problem is known as a PMTUD blackhole and is explained better here: |
| 16 |
> |
| 17 |
> Could ICMP packets not getting through be to blame for my proxy server |
| 18 |
> problem? My laptop can't seem to ping anyone (blocked at the firewall |
| 19 |
> in this hotel I suppose) and certainly the proxy server can't ping my |
| 20 |
> laptop. |
| 21 |
|
| 22 |
Not all ICMP packets are relevant to detecting the MTU of a node. A correctly |
| 23 |
implemented node will return an ICMP Fragmentation Needed (Type 3, Code 4) |
| 24 |
packet, with its MTU value. This kind of ICMP packets should not be blocked |
| 25 |
at firewalls. Use ping with the do not fragment option to see if packets |
| 26 |
above a certain size time out, i.e. they are dropped by some offending node on |
| 27 |
the way. |
| 28 |
|
| 29 |
ping -c 6 -n -M do -s 1472 <server_address> |
| 30 |
|
| 31 |
This will send 6 packets to your server's address having set the do not |
| 32 |
fragment bit. The packet payload size is set at 1472 to allow for 28 bytes |
| 33 |
that are taken up by the IP and ICMP header data. So the total packet size |
| 34 |
would be 1472+28=1500, the usual ethernet packet size. |
| 35 |
|
| 36 |
If the MTU of the server is less than 1500 bytes, you will get a response |
| 37 |
containing "Frag needed and DF set", otherwise you will get pong responses, |
| 38 |
like e.g. |
| 39 |
|
| 40 |
1480 bytes from XXX.XX.XXX.XXX: icmp_seq=1 ttl=121 time=66.5 ms |
| 41 |
|
| 42 |
If there is a black hole in the circuit you will be getting timeouts. Start |
| 43 |
reducing the size of the packet if you are getting time outs, say by 10 bytes |
| 44 |
at a time. When you arrive at or below the corresponding size of the MTU of a |
| 45 |
blackhole you will start getting responses. |
| 46 |
|
| 47 |
Of course, if the hotel's firewall is blocking all outgoing/incoming pings |
| 48 |
this sort of diagnostic test will not be useful. |
| 49 |
-- |
| 50 |
Regards, |
| 51 |
Mick |
Archives