Subscribe Now

* You will receive the latest news and updates on the Canadian IT marketplace.

Trending News

Blog Post

PMTUD woes
SECURITY SHELF

PMTUD woes 

PMTUD is enabled by default in most modern operating systems including Windows, Linux, and OS X. Hosts begin with packet sizes based on the interface MTU. The standard on ethernet networks is 1500, but MTUs as high as 9000 are commonly used to take advantage of jumbo frame capabilities on modern switches. Hosts using PMTUD set the IP header Don’t Fragment (DF) bit and transmit the IP datagram.

Within the LAN, the PMTUD mechanism seldom elicits a response. Other hosts on the LAN typically use the same MTU. IP datagrams to other networks pass through routers. In a normal networking scenario, a router receiving an IP datagram with a size exceeding the MTU of the next hop will fragment it. However, when PMTUD is in use, the DF bit is set specifically instructing the router not to fragment the datagram.

When a router is unable to forward a datagram because it exceeds the MTU of the next hop and the DF bit is set, the router discards the datagram and sends an ICMP destination unreachable (type 3) fragmentation needed and DF set (code 4) message to the source of the datagram. In response to the ICMP message, the host reduces the datagram size and tries again. Many retries with decreasing datagram sizes may be required to reach an acceptable size for all routers through which the datagram traverses to the destination host.

Problems with PMTUD occur when the ICMP message from a router does not reach the originating host. If ICMP messages are filtered, the host has no way to know that the datagram was too large. The impact of dropped datagrams varies by protocol.

Applications using stateless protocols such as UDP may exhibit symptoms of intermittent connectivity problems. For example, one DNS lookup might succeed while another that involves more data might time out.

Applications using stateful protocols such as TCP will be able to obtain a connection. The three-way TCP handshake uses small datagrams. However, at some point during the session a single datagram may exceed a hop MTU. Upon not receiving the required ACK response, standard TCP retransmissions will occur. Since the retransmitted frames are the same size, they too will be dropped, and the session will eventually time out.

Protocols such as HTTPS and SSL-based VPNs are especially susceptible. The TCP session is established and the initial TLS protocol handshake succeeds. The certificate exchange then results in larger datagram sizes, at which point the TCP session times out. Even seasoned IT professionals encounter difficulty diagnosing these symptoms. They are able to successfully test TCP connectivity, yet the application reports connectivity issues. System administrators may also report seemingly random SSH session hangs and applications such as anti-malware packages may appear to operate normally, but fail to download signature updates.

ICMP filtering that breaks PMTUD often occurs at firewalls, routers, and VPN gateways. The practice of blocking ICMP evolved in response to denial of service attacks and intruders using the protocol to map networks. However, ICMP is an integral part of the TCP/IP protocol suite.

Firewalls should ideally match ICMP messages to IP traffic and forward the relevant ones. Dropping all ICMP messages at the firewall may seem beneficial from a security perspective, but is generally a bad idea.

Routers are often configured to filter all ICMP traffic for security reasons. Organizations should strongly consider allowing ICMP type 3 messages. It is ironic that many organizations internally allow echo request (type 8) and echo reply (type 0) messages, by far the most abused, yet block more important type 3 messages.

VPN gateways are especially problematic because they usually have a smaller MTU on the VPN interface due to VPN protocol overhead. Some VPN devices include an option to clear the DF bit and allow fragmentation.

PMTUD issues are also common in Cloud environments. For example, default Amazon Web Services (AWS) Security Groups do not allow ICMP messages. Unless AWS users specifically add ICMP type 3 messages to the ingress ruleset, they are guaranteed to break PMTUD.

There are three effective strategies to prevent PMTUD-related issues. The best option is to ensure that ICMP type 3 code 4 (or preferably all type 3) responses are allowed to reach their intended destination. Clearing the DF bit at the first router or turning off PMTUD at the operating system level are also options, but they may result in increased fragmentation.

It is important to recognize that PMTUD is used to determine datagram size limits for transmission and therefore works independently in each direction. In Internet communication scenarios it is important to consider both ends of the connection to avoid PMTUD woes.

Have a security question you’d like answered in a future column? Email eric.jacksch@iticonline.ca

Related posts