Home / Blogs

Painting Ourselves Into a Corner with Path MTU Discovery

Paul Vixie

In Tony Li's article on path MTU discovery we see this text:

"The next attempt to solve the MTU problem has been Packetization Layer Path MTU Discovery (PLPMTUD). Rather than depending on ICMP messaging, in this approach, the transport layer depends on packet loss to determine that the packet was too big for the network. Heuristics are used to differentiate between MTU problems and congestion. Obviously, this technique is only practical for protocols where the source can determine that there has been packet loss. Unidirectional, unacknowledged transfers, typically using UDP, would not be able to use this mechanism. To date, PLPMTUD hasn't demonstrated a significant improvement in the situation.

Tony's article is (as usual) quite readable and useful, but my specific concern here is DNS, and more specifically Extended DNS (EDNS). I codified EDNS about fifteen years ago in RFC 2671, with the intent of permitting DNS to carry larger messages, such as for example, DNSSEC. Everything Tony described then happened, with the unhappy result that a lot of EDNS packets are dropped by various firewalls, intrusion detectors, or other well-meaning-I'm-sure devices who think they know what a DNS message has to look like. And: EDNS depends on IP fragmentation. And: IP fragmentation fails often enough to put DNSSEC at risk. Ooops.

Chris Kanterjiev and Jeffrey Mogul had previously told us all that Fragmentation (was) Considered Harmful and I in particular had no excuse for using IP fragmentation in the EDNS design, since Chris and Jeff were two of my mentors and bosses back at DECWRL in 1988 or so.

Between the inability to scale up the size of an Ethernet MTU with bandwidth, such that you could fill a 10Mbit/sec thickwire Ethernet using only a few hundred packets per second but to fill up a 100GBit/sec link requires handling several million packet headers per second… and the Internet industry's continued inability to cope with excess buffering, lack of admission control, and other forms of Internet pollution, I am starting to get the feeling that we've painted ourselves into a corner.

Tony Li (remember, were talking about Tony's Path MTU article) once said of IPv6 that it was too little, too soon and when I look at the Internet problems not solved by adding more address space, my level of agreement with Tony's assessment rises every year.

By Paul Vixie, CEO, Farsight Security. More blog posts from Paul Vixie can also be read here.

Related topics: Access Providers, Data Center, DDoS, DNS, DNS Security, Internet Protocol, IP Addressing, IPv6, Security

WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:


To post comments, please login or create an account.

Related Blogs

Officially Compromised Privacy

Zero Rating: Something Is Better Than Nothing! Or Is It?

The Emotional Cost of Cybercrime

Why I Wrote 'Thinking Security'

Regulation and Reason

Related News


Industry Updates – Sponsored Posts

Computerworld Names Afilias' Ram Mohan a Premier 100 Technology Leader

Verisign Mitigates More Attack Activity in Q3 2015 Than Any Other Quarter During Last Two Years

Protect Your Privacy - Opt Out of Public DNS Data Collection

Verisign & Forrester Webinar: Defending Against Cyber Threats in Complex Hybrid-Cloud Environments

Measuring DNS Performance for the User Experience

Dyn Evolves Internet Performance Space with Launch of Internet Intelligence

Introducing Verisign Public DNS: A Free Recursive DNS Service That Respects Your Privacy

Faster DDoS Mitigation - Introducing Verisign OpenHybrid Customer Activated Mitigation

Internet Grows to 296 Million Domain Names in Q2 2015

Verisign's Q2'15 DDoS Trends: DDoS for Bitcoin Increasingly Targets Financial Industry

Protect Your Network From BYOD Malware Threats With The Verisign DNS Firewall

Announcing Verisign IntelGraph: Unprecedented Context for Cybersecurity Intelligence

Introducing the Verisign DNS Firewall

TLD Security, Spec 11 and Business Implications

Verisign Named to the Online Trust Alliance's 2015 Honor Roll

3 Key Steps for SMBs to Protect Their Website and Critical Internet Services

Key Considerations for Selecting a Managed DNS Provider

Verisign Mitigates More DDoS Attacks in Q1 2015 than Any Quarter in 2014

Verisign OpenHybrid for Corero and Amazon Web Services Now Available

Afilias Supports the CrypTech Project - Ambitious Hardware Encryption Effort to Protect User Privacy

Sponsored Topics