From: John Gibson (johngibson1541@yahoo.com)
Date: Thu Apr 05 2007 - 04:58:01 ART
IPv6 rfc 2460 basically says if we don't do PMTU,
just send packets smaller than 1280 bytes.
rfc 2460 says routers in the ipv6 path MUST
be capable of sending 1280 bytes in 1 IPv6 packet.
If some interface have layer 2 MTU smaller than
1280, the router have to fragment the packet at
layer 2.
I like rfc 2460.
--- Sergey Golovanov <sergey.golovanov@iementor.com>
wrote:
>
> Actually, barely any networks in the enterprise
> world rely on PMTU anymore.
> If you are concerned with an MTU bottleneck in the
> middle of the
> communication path, for example GRE tunnels, you'd
> normally use "ip tcp
> adjust-mss" set to your IP MTU - 40. So for example,
> let's say you have a
> gre tunnel somewhere in the middle. The IP mtu would
> normally be set to 1476
> (1500 - 20 IP header - 4 GRE header), and tcp
> adjust-mss would be set to
> 1436 (1476 - 40 IP+TCP header). With this
> configuration these problems don't
> matter anymore:
>
> 1. PMTU is not needed (tcp only)
> 2. Doesn't matter what MTU the server or client are
> using (tcp only)
> 3. Doesn't matter what MSS the server or client are
> using (tcp only)
> 4. Doesn't matter if the server or client are using
> DF bit (tcp only)
>
> All these issues are resolved with tcp
> adjust-mss.... the only problem is
> that it applies only to TCP traffic. The issue
> remains with UDP traffic. But
> it's not a big deal. If UDP for some reason sends
> large MTU packet, it would
> get fragmented. I don't know of any applications
> that set DF-bit and that
> use full size 1500 ip packet. I don't know of any...
> except for one :)
> Microsoft Kerberos authentication on Windows 2000 (I
> think it's only on
> Win2K) will use UDP by default (I believe on Win2003
> they changed to TCP for
> default setting), and it will set the DF bit. Well,
> it's not a problem....
> until your AD transactions (resulted from the user
> database size etc) reach
> certain size and the packet ends up being above the
> "bottleneck" MTU. The
> difficult way to fix it is to tell your server guys
> to switch Kerberos from
> UDP to TCP... but it might be difficult in large
> environments. The other way
> to fix it, of course, is to use the route-map and
> clear df-bit on all UDP
> traffic.
>
> Hope this helps
>
>
--------------------------------------------------------------------
> Sergey Golovanov, CCIEx5 (R&S/Security/Voice/Service
> Provider/Storage)
> "Please, don't ask me for my ccie #, there are
> reasons why I can't release
> it"
> ieMentor Instructor and Content Developer
> sergey.golovanov@iementor.com
> http://www.iementor.com
>
> -----Original Message-----
> From: nobody@groupstudy.com
> [mailto:nobody@groupstudy.com] On Behalf Of
> johngibson1541@yahoo.com
> Sent: Wednesday, April 04, 2007 9:54 AM
> To: ccielab@groupstudy.com
> Subject: Re: Re: routers don't fragment any packet.
> End hosts all MUST have
> path MTU discovery ?
>
> No. Something is not right here.
>
> I am so shocked to learn that path MTU discovery
> protocol uses ICMP.
>
> Many enterprise networks block all ICMP packets. How
> could this path MTU
> discovery thing ever work in our public Internet ?
>
> What are we doing ? I am totally lost.
>
>
This archive was generated by hypermail 2.1.4 : Tue May 01 2007 - 08:28:34 ART