Home / Blogs

Painting Ourselves Into a Corner with Path MTU Discovery

Paul Vixie

In Tony Li's article on path MTU discovery we see this text:

"The next attempt to solve the MTU problem has been Packetization Layer Path MTU Discovery (PLPMTUD). Rather than depending on ICMP messaging, in this approach, the transport layer depends on packet loss to determine that the packet was too big for the network. Heuristics are used to differentiate between MTU problems and congestion. Obviously, this technique is only practical for protocols where the source can determine that there has been packet loss. Unidirectional, unacknowledged transfers, typically using UDP, would not be able to use this mechanism. To date, PLPMTUD hasn't demonstrated a significant improvement in the situation.

Tony's article is (as usual) quite readable and useful, but my specific concern here is DNS, and more specifically Extended DNS (EDNS). I codified EDNS about fifteen years ago in RFC 2671, with the intent of permitting DNS to carry larger messages, such as for example, DNSSEC. Everything Tony described then happened, with the unhappy result that a lot of EDNS packets are dropped by various firewalls, intrusion detectors, or other well-meaning-I'm-sure devices who think they know what a DNS message has to look like. And: EDNS depends on IP fragmentation. And: IP fragmentation fails often enough to put DNSSEC at risk. Ooops.

Chris Kanterjiev and Jeffrey Mogul had previously told us all that Fragmentation (was) Considered Harmful and I in particular had no excuse for using IP fragmentation in the EDNS design, since Chris and Jeff were two of my mentors and bosses back at DECWRL in 1988 or so.

Between the inability to scale up the size of an Ethernet MTU with bandwidth, such that you could fill a 10Mbit/sec thickwire Ethernet using only a few hundred packets per second but to fill up a 100GBit/sec link requires handling several million packet headers per second… and the Internet industry's continued inability to cope with excess buffering, lack of admission control, and other forms of Internet pollution, I am starting to get the feeling that we've painted ourselves into a corner.

Tony Li (remember, were talking about Tony's Path MTU article) once said of IPv6 that it was too little, too soon and when I look at the Internet problems not solved by adding more address space, my level of agreement with Tony's assessment rises every year.

By Paul Vixie, CEO, Farsight Security. More blog posts from Paul Vixie can also be read here.

Related topics: Access Providers, Data Center, DDoS, DNS, DNS Security, Internet Protocol, IP Addressing, IPv6, Security

WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:

Comments

To post comments, please login or create an account.

Related Blogs

Related News

Topics

Industry Updates – Sponsored Posts

TLD Security, Spec 11 and Business Implications

Verisign Named to the Online Trust Alliance's 2015 Honor Roll

3 Key Steps for SMBs to Protect Their Website and Critical Internet Services

Key Considerations for Selecting a Managed DNS Provider

Verisign Mitigates More DDoS Attacks in Q1 2015 than Any Quarter in 2014

Verisign OpenHybrid for Corero and Amazon Web Services Now Available

Afilias Supports the CrypTech Project - Ambitious Hardware Encryption Effort to Protect User Privacy

Public Sector Experiences Largest Increase in DDoS Attacks (Verisign's Q4 2014 DDoS Trends)

Help Ensure the Availability and Security of Your Enterprise DNS with Verisign Recursive DNS

Verisign iDefense 2015 Cyber-Threats and Trends

What's in Your Attack Surface?

Join Paul Vixie & Robert Edmonds at the Upcoming Distinguished Speaker Series

Q3 2014 DDoS Trends: Attacks Exceeding 10 Gbps on the Rise

LogicBoxes Announces Automation Solutions for ccTLD

3 Questions to Ask Your DNS Host About DDoS

Introducing Our Special Edition Managed DNS Service for Top-Level Domain Operators

Afilias Partners With Internet Society to Sponsor Deploy360 ION Conference Series Through 2016

Neustar to Build Multiple Tbps DDoS Mitigation Platform

The Latest Internet Plague: Random Subdomain Attacks

Digging Deep Into DNS Data Discloses Damaging Domains

Sponsored Topics