<< | Thread Index | >> ]    [ << | Date Index | >> ]

To: "Mark Smith" <mark.smith,AT,avcosystems,DOT,co,DOT,uk>
Subject: RE: CIPE 1.5.4 / NAT / iptables issue
From: "Dick St.Peters" <stpeters,AT,NetHeaven,DOT,com>
Date: Fri, 11 Jul 2003 11:30:22 -0400
Cc: <cipe-l,AT,inka,DOT,de>
In-reply-to: <000401c347a5$145c11e0$d100010a@lyta>
References: <B6A0EB1BE797A44298B7F4484B32FDE60177B9@turbo.infoprojekt.hr><000401c347a5$145c11e0$d100010a@lyta>

Mark Smith writes:
> I run NAT over CIPE 1.5.4 on 2.4.18 without any apparent problem apart from
> large packets and PMTUD.  I'm still hoping that the person that suggested
> using iptables to clamp mss to pmtu can provide more information either
> where they found that out, or if they know, why it works and what it
> changes.

I don't think I'm the person who suggested that, but I can
provide some explanation.  At the beginning of a TCP
session, each end tells the other the largest packet size it
can send or receive.  To see what this implies, it helps to
consider network diagrams, beginning with a trivial one, two
hosts A and B directly connected by a network link:
        A <-link-> B
Both A and B know the largest packet the link will carry
because they are connected to it.  This is true even if the
link is a virtual link, such as a CIPE tunnel.

Now advance to a more complex diagram:
        A <-link 1-> X <-link 2-> Y <-link 3-> B
If link 2 is a virtual link, its maximum packet size will be
reduced by the tunnel overhead and will be smaller than for
links 1 and 3.  Normally neither A nor B will know that.  A
will only know the largest packet link 1 can carry.  B will
only know the largest packet link 3 can carry.

However, A and B have to learn about link 2's smaller
maximum size to talk efficiently.  One way for A to learn
the link 2 size is for the owner/user of A to clamp A's
maximum packet size to the maximum size for link 2.  Then
when A tells B the maximum size A can send/receive, it will
give the clamped size, not the link 1 maximum size.

There's no way to clamp the size with iptables that I know
of, but you can do it with the Linux route command.
However, there's an error in the implementation: the "mss"
route parameter actually sets the MTU, not the MSS.
Clamping the real MSS to the path MTU would be wrong, but
clamping what the route command calls mss to the path MTU is

(MTU is the maximum packet size, MSS is the maximum TCP
payload size - i.e., MTU minus TCP/IP overhead.)

Dick St.Peters, stpeters,AT,NetHeaven,DOT,com 

<< | Thread Index | >> ]    [ << | Date Index | >> ]