Alastair’s Place

Software development, Cocoa, Objective-C, life. Stuff like that.

Path MTU Problems

Rainer Brockerhoff has just changed ISP and is having what sound like MTU problems. These are increasingly common and there is a lot of misunderstanding about what causes them and why.

Essentially the problem is that some types of network link have a smaller limit on the maximum packet size than others. Originally, machines used to simply assume the worst and only transmitted packets of up to 576 octets in size. This was quickly changed so that hosts using TCP/IP negotiate the maximum segment size during connection set-up. However, if there are routers between the two hosts, it is possible that the hosts’ MTU values are higher than the link between the routers.

If that happens, one option is for the routers to fragment the packets. Unfortunately this has several negative effects and has occasionally been deliberately blocked to prevent various types of Denial of Service attack.

A better approach, therefore, would be for the hosts to attempt to discover the MTU of the network path over which they are communicating. To do this, they transmit large packets with the DF (Do not Fragment) flag set. When a router receives such a packet, it is supposed to reply with an ICMP message indicating that the packet was too large and cannot be forwarded. When such a message arrives, the sending host can reduce the MTU of the link as appropriate and retry.

And herein lies the problem. Some sysadmins apparently don’t realise that ICMP messages are required for correct operation and block all of them. Or maybe they just block the one required for path MTU discovery. Either way, doing this breaks things badly and leads to all kinds of weird symptoms that people tend to blame on end users and their ISPs.

There are some tools you can use to investigate if you think this problem is happening to you; scamper seems to be particularly useful. e.g.

alastair$ sudo ./scamper -c "trace -M -P ICMP" -i 10.0.1.1

will display the MTU at each point along the route from your machine to 10.0.1.1.

Or you can “just” set the MTU on your machine to a lower value. Unfortunately it is usually tricky to configure a special MTU for accessing the Internet and the usual Ethernet MTU for the rest of your network, and in order to avoid problems you really should have the MTU settings the same for all hardware on your network segment.