Path MTU discovery (PMTUD) is a technique in computer networking for determining the maximum transmission unit (MTU) size on a network path between two Internet Protocol (IP) hosts, usually with the goal of avoiding IP packet fragmentation.
Path MTU discovery works by setting the DF (Don't Fragment) option bit in the IP headers of outgoing packets. Then, any device along the path whose MTU is smaller than the packet will drop the packet, and send back an Internet Control Message Protocol (ICMP) “Fragmentation Needed” message containing the device's MTU, allowing the source host to reduce its path MTU appropriately. The process repeats until the MTU is small enough to traverse the entire path without fragmentation.
If the path MTU changes after the connection is set up and is lower than the previously determined path MTU, the first large packet will cause an ICMP error and the new, lower path MTU will be found. Conversely, if PMTUD finds that the path allows a larger MTU than what is possible on the lower link, the operating system will periodically reprobe to determine whether the path has changed to allow larger packets.
ICMP messages may be spoofed, thereby reducing the MTU size of a tunnel. This is known as a “Path MTU Discovery attack.” ICMP messages can also be used in denial of service attacks. Because of these security concerns, many network security devices, such as firewalls or access control lists (ACLs) on routers, block all ICMP messages.
Blocking ICMP messages in this way prevents PMTUD from working, as PMTUD relies upon ICMP to update the MTU value. All packets with the DF bit set that are larger than the MTU are then dropped. Troubleshooting this connectivity issue is problematic as only some packets are allowed through (those that do not require fragmentation, and those which do not have the DF bit set). This can result in connections that complete a transmission control protocol (TCP) three-way handshake correctly, but then hang when data is transferred. This state is referred to as a “black hole connection.”
If the tunnel origination endpoint does not set the DF bit, it is possible that the tunnel termination endpoint will need to re-assemble the fragmented packets. This is a relatively inefficient alternative, as it carries a large performance penalty compared to the case where the originating tunnel endpoint fragments the packet.
RFC 4459 (“MTU and Fragmentation Issues with In-the-Network Tunneling”) addresses packet fragmentation and re-assembly, but fails to address problems associated with using ICMP packets as a way to discover the path MTU. And an Internet draft entitled “ICMP attacks against TCP” (http://www.ietf.org/id/draft-ietf-tcpm-icmp-attacks-06.txt) addresses the security of TCP against ICMP attacks. However, none of the solutions are suitable for Tunnels. Accordingly, a need exists in the art for an improved solution for tunnel path MTU discovery.