Transcription

Configuration GuideContivity Secure IP Services GatewayConfigurable MTU and TCP MSS clampingContentsContents . 1Overview. 1MTU discovery . 2MSS clamping . 4MTU and VPN . 5Configurable MTU and MSS clamping on Contivity. 6MTU on Contivity . 7TCP MSS clamping on Contivity. 9DF bit on Contivity. 9Configuring MTU, MSS and DF bit . 9Configuring MTU, MSS and DF bit via GUI . 10Configuring MTU on LAN interfaces . 10Configuring TCP MSS on LAN interface. 12Configuring TCP MSS on PPPoE interface . 14Configuring MTU and TCP MSS for the Dial Interface . 16Configuring MTU and TCP MSS on WAN interface . 17Configuring MTU for the tunnel. 17Configuring DF bit for the IPSec tunnels . 19Configuring MTU and MSS via CLI . 22Event Log messages. 28Sample Configurations . 29Tunnel MTU. 29Setup. 29Configuring WS1. 29Configuring WS2. 30Configuring CES1 . 30Configuring CES2 . 38Testing configuration. 46TCP MSS Clamping . 49Setup. 49Configuring WS. 49Configuring CES . 50Configuring FTPS . 54Testing configuration. 55OverviewThe Internet is a world-wide network that provides connection between computers viatelecommunication links and enables computers to communicate with each other. TheInternet is not a homogeneous network but rather a collection of interconnected networks.Each of the networks may be built on different network elements and technologies andtherefore have different characteristics in terms of speed, throughput and bandwidth. Forexample, some of the networks might use PPPoE (Point-to-Point Protocol over Ethernet),others Ethernet, and some might use Frame Relay or ATM as their connection.Each technology used in the network has a different largest packet or datagram size it cantransmit without it needing to break it down (or fragment) into smaller units. This largestCG0403011.00March 2004Page: 1 of 60

Configuration GuideContivity Secure IP Services GatewayConfigurable MTU and TCP MSS clampingsize in bytes is known as Maximum Transmission Unit, or MTU. For example, thetypical MTU value for the Ethernet is 1500 bytes, 1492 bytes for PPPoE, 4352 bytes forthe FDDI or 4464 for 4Mbps Token Ring. The default value of the network MTU may beoverridden by the administrator due to, for example, local network needs.Larger and more consistent MTUs throughout the network may reduce or eliminate thefragmentation and thus enhance performance. Larger MTU increase systems performanceby minimizing the number of packets processed, as most of the performance costs is in“packets handled” rather than “bytes transferred”. On the other hand, for dial-upconnections it’s better to keep the MTU smaller, to maintain good interactive response.Thus care must be taken when choosing MTU values for the network, to accommodatethe needs of users, and maintain the performance of the network.MTU discoverySystems on the network have no knowledge of the MTU values used for each network orpeer systems. A mechanism called path MTU discovery is used to find out MTUparameters in other networks.Consider the situation depicted on Figure 1, Host A has a large amount of data to send toHost B and the path to Host B lies through a number of networks with different MTUvalues, so that MTU 4 MTU 1 MTU 2 MTU 3. What MTU should be used to send thedata to Host B?MTU 1MTU 2Host ANetwork 2Network 1MTU 3Network 3MTU 4Network 4Figure 1CG040301Host B1.00March 2004Page: 2 of 60

Configuration GuideContivity Secure IP Services GatewayConfigurable MTU and TCP MSS clampingWithout having any knowledge of MTU across the network Host A initially assumes thatMTU throughout the path is equal to the MTU of its first hop, or MTU 1. So Host Astarts to send the data using the MTU 1 and the Don’t Fragment (DF) bit set.Along the way the datagram reaches some router in Network 2. The router notices thatthe received data has a larger MTU than the second network can transmit, and with DFbit being set, the router in Network 2 discards the datagram. The router returns an ICMPDestination Unreachable message with a code meaning “fragmentation needed and DFbit set” back to Host A. Some routers specify the correct value for the MTU in itsnetwork in the ICMP message, so the source does not have to guess the value.Upon receipt of this message Host A reduces its assumed MTU for that path and tries tosend the datagram again. If the second attempt is successful and the selected MTU is lessor equal to the MTU 2, the router in the second network processes the packets and sendsit along the way to Network 3. If not, the process starts again until Host A sends thecorrect size.Once the datagram reaches Network 3 the same process of MTU discovery repeats. WithMTU 2 being larger than MTU 3, the router in Network 3 discards the datagram andresponds with an ICMP Destination Unreachable message to Host A. Host A adjustsMTU until the router in Network 3 agrees to process the packet, thus setting MTU toMTU 3.When the datagram reaches Network 4, MTU is equivalent to MTU 3 which is smallerthen MTU 4, so the datagram is processed and is sent to Host B.Thus, at the end Host A has learned the path MTU (the smallest MTU used along the path– MTU 3) and will use that value to send the data to Host B.For more information on path MTU discovery please consult:RFC 1191 ch 2004Page: 3 of 60

Configuration GuideContivity Secure IP Services GatewayConfigurable MTU and TCP MSS clampingMSS clampingSome routers along the way might fail to respond with the ICMP DestinationUnreachable messages for a variety of reasons ranging from router software bugs toconfiguration problems. Firewalls are often misconfigured to suppress all ICMP tomessages (Figure 2) (refer to RFC 1435 http://www.ietf.org/rfc/rfc1435.txt and RFC2923 http://www.ietf.org/rfc/rfc2923.txt). This would cause MTU discovery process tofail, as ICMP messages will not be received by the originating host. Upper layerprotocols will continue to send large packets without discovering that they need to reducethe packets size. This might lead upper layer protocols, like TCP, to fail as the connectionwill eventually time out.Host AMTU 1FirewallMTU 2- ICMP traffic- TCP trafficHost BFigure 2The solution to this problem is to use the TCP Maximum Segment Size (MSS) option.This option may be used at the time a connection is established (only) to indicate themaximum size TCP segment that can be accepted on that connection. This MaximumSegment Size announcement is sent from the data receiver to the data sender and says "Ican accept TCP segments up to size X". The size (X) may be larger or smaller than thedefault. The process of setting the maximum packet size through the MSS option isknown as MSS clamping. With MSS option being part of TCP no ICMP traffic is neededto adjust the MTU values between peers. The MSS can be used completely independentlyin each direction of data flow, as a result there can be different maximum sizes in twodirections.MSS counts only data bytes; it does not count TCP or IP headers. Therefore the value forthe MSS can be calculated as:MSS MTU – sizeof (TCP header) – sizeof (IP header)CG0403011.00March 2004Page: 4 of 60

Configuration GuideContivity Secure IP Services GatewayConfigurable MTU and TCP MSS clampingUsually a best case scenario is assumed where TCP and IP headers have minimum size of20 bytes each; this gives a modified formula for calculating the MSS:MSS MTU – 40So if MTU for Ethernet is 1500 bytes, the MSS option would be 1460 bytes.For more information on TCP MSS option please consult:RFC 879 http://www.ietf.org/rfc/rfc1191.txtMTU and VPNConsider a situation when two sites are connected via VPN tunnel and one of the sitesuses PPPoE interface as its connection to the Internet (Figure 3).Site ASite BFigure 3If tunnel MTU is larger than the PPPoE MTU of the interface, then fragmentation isrequired. If the DF (don’t fragment) bit is set or the ISP (Internet Service Provider) thatprovides the PPPoE service for Site A does not support fragmentation for PPPoE circuits,the packets will be dropped as they will be larger than the underlying PPPoE can carry.As a result there is a need to have the ability to configure MTU for the tunnels and to setor clear the DF bit.CG0403011.00March 2004Page: 5 of 60

Configuration GuideContivity Secure IP Services GatewayConfigurable MTU and TCP MSS clampingConfigurable MTU and MSS clamping on ContivityCode release V04 85 (V04 90) allows Contivity Secure IP Services Gateway to controlpacket fragmentation through: Interface MTU configuration; Tunnel MTU configuration; TCP MSS clamping; IPSec DF bit behavior configuration.Contivity allows MTU values to be configured for each of its physical and tunnelinterfaces. Furthermore, the TCP MSS option (MSS clamping) can be enabled andconfigured on physical interfaces (Figure 4).WS1WS2ContivityContivity- Tunnel MTU- Interface MTU- TCP MSSFigure 4CG0403011.00March 2004Page: 6 of 60

Configuration GuideContivity Secure IP Services GatewayConfigurable MTU and TCP MSS clampingMTU on ContivityConsider the situation depicted in Figure 5. WS1 sends initial data to WS2 with DF bitset and WS1’s assumption of the MTU used throughout the network. If fragmentation isrequired at the tunnel or interface, an ICMP message is sent back to WS1. WS1 adjuststhe size of the packets sent and the transfer continues.WS1WS2ContivityContivityICMP from tunnelICMP from interfaceFigure 5Contivity has the ability to configure MTU on a per interface basis. The default MTUvalue of all physical interfaces is 1500 to maintain backward compatibility with existingconfigurations. The maximum MTU value allowed to be assigned to an interface variesbased on the media used for the interface and layer 2 encapsulation. Thus Contivityaccepts the following maximum configurable MTU values:- Ethernet 1500,- PPPoE 1492,- WAN link 1788,- Serial 1788.Value 1788 is derived from the maximum buffer size Contivity can hold. The minimumMTU is 576.CG0403011.00March 2004Page: 7 of 60

Configuration GuideContivity Secure IP Services GatewayConfigurable MTU and TCP MSS clampingIn addition Contivity has the ability to configure MTU on tunnels. This value isconfigured per connection, so different tunnels may have different MTU settings.If MTU is not configured for the tunnel then the largest payload that goes into a tunnelwithout fragmentation (effective tunnel MTU) is derived from interface MTU and layer 3encapsu