Home / Blogs

Painting Ourselves Into a Corner with Path MTU Discovery

Paul Vixie

In Tony Li's article on path MTU discovery we see this text:

"The next attempt to solve the MTU problem has been Packetization Layer Path MTU Discovery (PLPMTUD). Rather than depending on ICMP messaging, in this approach, the transport layer depends on packet loss to determine that the packet was too big for the network. Heuristics are used to differentiate between MTU problems and congestion. Obviously, this technique is only practical for protocols where the source can determine that there has been packet loss. Unidirectional, unacknowledged transfers, typically using UDP, would not be able to use this mechanism. To date, PLPMTUD hasn't demonstrated a significant improvement in the situation.

Tony's article is (as usual) quite readable and useful, but my specific concern here is DNS, and more specifically Extended DNS (EDNS). I codified EDNS about fifteen years ago in RFC 2671, with the intent of permitting DNS to carry larger messages, such as for example, DNSSEC. Everything Tony described then happened, with the unhappy result that a lot of EDNS packets are dropped by various firewalls, intrusion detectors, or other well-meaning-I'm-sure devices who think they know what a DNS message has to look like. And: EDNS depends on IP fragmentation. And: IP fragmentation fails often enough to put DNSSEC at risk. Ooops.

Chris Kanterjiev and Jeffrey Mogul had previously told us all that Fragmentation (was) Considered Harmful and I in particular had no excuse for using IP fragmentation in the EDNS design, since Chris and Jeff were two of my mentors and bosses back at DECWRL in 1988 or so.

Between the inability to scale up the size of an Ethernet MTU with bandwidth, such that you could fill a 10Mbit/sec thickwire Ethernet using only a few hundred packets per second but to fill up a 100GBit/sec link requires handling several million packet headers per second… and the Internet industry's continued inability to cope with excess buffering, lack of admission control, and other forms of Internet pollution, I am starting to get the feeling that we've painted ourselves into a corner.

Tony Li (remember, were talking about Tony's Path MTU article) once said of IPv6 that it was too little, too soon and when I look at the Internet problems not solved by adding more address space, my level of agreement with Tony's assessment rises every year.

By Paul Vixie, CEO, Farsight Security. More blog posts from Paul Vixie can also be read here.

Related topics: Access Providers, Data Center, DDoS, DNS, DNS Security, Internet Protocol, IP Addressing, IPv6, Security

 
   
WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:

Comments

To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Industry Updates – Sponsored Posts

New TLD? Make Sure It's Secure

Verisign Releases Q2 2016 DDoS Trends Report - Layer 7 DDoS Attacks a Growing Trend

How Savvy DDoS Attackers Are Using DNSSEC Against Us

Radix Adds Dyn as a DNS Service Provider

Facilitating a Trusted Web Space for Financial Service Professionals

MarkMonitor Partners with CYREN to Deepen Visibility into Global Phishing Attacks

Verisign Named to the Online Trust Alliance's 2016 Honor Roll

Dyn Partners with the Internet Systems Consortium to Host Global F-Root Nameservers

Verisign Q1 2016 DDoS Trends: Attack Activity Increases 111 Percent Year Over Year

Is Your TLD Threat Mitigation Strategy up to Scratch?

Domain Management Handbook from MarkMonitor

i2Coalition to Host First Ever Smarter Internet Forum

Encrypting Inbound and Outbound Email Connections with PowerMTA

Resilient Cybersecurity: Dealing with On-Premise, Cloud-Based and Hybrid Security Complexities

What Holds Firms Back from Choosing Cloud-Based External DNS?

Verisign Releases Q4 2015 DDoS Trends - DDoS Attack Activity Increasing by 85% Year Over Year

Best Practices from Verizon - Proactively Mitigating Emerging Fraudulent Activities

Neustar Data Identifies Most Popular Times of Year for DDoS Attacks in 2015

The Framework for Resilient Cybersecurity (Webinar)

Data Volumes and Network Stress to Be Top IoT Concerns

Sponsored Topics

Port25

Email

Sponsored by
Port25
Verisign

Security

Sponsored by
Verisign
Afilias - Mobile & Web Services

Mobile

Sponsored by
Afilias - Mobile & Web Services
Afilias

DNS Security

Sponsored by
Afilias