General discussion

Locked

Sites not supporting PMTUD

By pbrockert ·
I have a problem with some sites on the Web that do not adhere to the Path Maximum Transmission Unit Discovery (PMTUD) protocol as defined by the
Internet Engineering Task Force (IETF).

I work at sea and all traffic is encrypted which means the extra overhead needed to encapsulate the date prior to transmission requires our server requesting a smaller packet from websites and some just don't respond to the request. For example, I can get to my Yahoo start page, but when the site tries to access my e-mail (which apparently requires further encryption) it just times out and dies. Some financial sites also time out and there seems little that we can do from our end as the security concern is higher than our personal need to pay our bills, etc.

I'm not sure if this question should go in this forum, but it seemed closest. Do we need to contact each site that times out and ask them to implement the protocol as defined by the IETF? Can they be required to in any way or are we just left hanging?

This conversation is currently closed to new comments.

2 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

by flo In reply to Sites not supporting PMTU ...

As a workaround you might want to do some "mss clamping" which means modifying tcp syn packets when they leave your systems to match the maximum MSS your downlink supports which means packets coming from yahoo would not need to be fragmented.

Cisco calls this "ip tcp mss-adjust" linux speak is "-j TCPMSS --clamp-mss-to-pmtu"

See http://pmtud.rfc822.org for more sites breaking PMTUd.

Collapse -

by trackme In reply to Sites not supporting PMTU ...

There are several reasons for this and some of the reasons could be .
1. If you implement BGP and block ICMP at your gateway router you can have this kind of issues. This occurs mostly with banking sites also.

So try unblocking ICMP at your gateway router and see whether that helps since PMTUD uses IMCP for discovery. Atleast you need to allow ICMP unreachebles and time exceeded and block others.

Or this could be a issue with MTU value too

But i suggest to check with ICMP first or check with your ISP the way the BGP is setup since that is also one of reasons since i have seen that the same website will open with one ISP and the same site will not open with other ISP even though i run bgp with both and same configruation

Back to Security Forum
2 total posts (Page 1 of 1)  

Related Discussions

Related Forums