Home / Blogs

Painting Ourselves Into a Corner with Path MTU Discovery

Paul Vixie

In Tony Li's article on path MTU discovery we see this text:

"The next attempt to solve the MTU problem has been Packetization Layer Path MTU Discovery (PLPMTUD). Rather than depending on ICMP messaging, in this approach, the transport layer depends on packet loss to determine that the packet was too big for the network. Heuristics are used to differentiate between MTU problems and congestion. Obviously, this technique is only practical for protocols where the source can determine that there has been packet loss. Unidirectional, unacknowledged transfers, typically using UDP, would not be able to use this mechanism. To date, PLPMTUD hasn't demonstrated a significant improvement in the situation.

Tony's article is (as usual) quite readable and useful, but my specific concern here is DNS, and more specifically Extended DNS (EDNS). I codified EDNS about fifteen years ago in RFC 2671, with the intent of permitting DNS to carry larger messages, such as for example, DNSSEC. Everything Tony described then happened, with the unhappy result that a lot of EDNS packets are dropped by various firewalls, intrusion detectors, or other well-meaning-I'm-sure devices who think they know what a DNS message has to look like. And: EDNS depends on IP fragmentation. And: IP fragmentation fails often enough to put DNSSEC at risk. Ooops.

Chris Kanterjiev and Jeffrey Mogul had previously told us all that Fragmentation (was) Considered Harmful and I in particular had no excuse for using IP fragmentation in the EDNS design, since Chris and Jeff were two of my mentors and bosses back at DECWRL in 1988 or so.

Between the inability to scale up the size of an Ethernet MTU with bandwidth, such that you could fill a 10Mbit/sec thickwire Ethernet using only a few hundred packets per second but to fill up a 100GBit/sec link requires handling several million packet headers per second… and the Internet industry's continued inability to cope with excess buffering, lack of admission control, and other forms of Internet pollution, I am starting to get the feeling that we've painted ourselves into a corner.

Tony Li (remember, were talking about Tony's Path MTU article) once said of IPv6 that it was too little, too soon and when I look at the Internet problems not solved by adding more address space, my level of agreement with Tony's assessment rises every year.

By Paul Vixie, CEO, Farsight Security. More blog posts from Paul Vixie can also be read here.

Related topics: Access Providers, Data Center, DDoS, DNS, DNS Security, Internet Protocol, IP Addressing, IPv6, Security

 
   
WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:

Comments

To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Industry Updates – Sponsored Posts

Encrypting Inbound and Outbound Email Connections with PowerMTA

Resilient Cybersecurity: Dealing with On-Premise, Cloud-Based and Hybrid Security Complexities

What Holds Firms Back from Choosing Cloud-Based External DNS?

Verisign Releases Q4 2015 DDoS Trends - DDoS Attack Activity Increasing by 85% Year Over Year

Best Practices from Verizon - Proactively Mitigating Emerging Fraudulent Activities

Neustar Data Identifies Most Popular Times of Year for DDoS Attacks in 2015

The Framework for Resilient Cybersecurity (Webinar)

Data Volumes and Network Stress to Be Top IoT Concerns

DKIM for ESPs: The Struggle of Living Up to the Ideal

Computerworld Names Afilias' Ram Mohan a Premier 100 Technology Leader

Verisign Mitigates More Attack Activity in Q3 2015 Than Any Other Quarter During Last Two Years

Protect Your Privacy - Opt Out of Public DNS Data Collection

Verisign & Forrester Webinar: Defending Against Cyber Threats in Complex Hybrid-Cloud Environments

Measuring DNS Performance for the User Experience

Dyn Evolves Internet Performance Space with Launch of Internet Intelligence

Introducing Verisign Public DNS: A Free Recursive DNS Service That Respects Your Privacy

Faster DDoS Mitigation - Introducing Verisign OpenHybrid Customer Activated Mitigation

Internet Grows to 296 Million Domain Names in Q2 2015

Verisign's Q2'15 DDoS Trends: DDoS for Bitcoin Increasingly Targets Financial Industry

Protect Your Network From BYOD Malware Threats With The Verisign DNS Firewall

Sponsored Topics

Verisign

Security

Sponsored by
Verisign
Afilias - Mobile & Web Services

Mobile

Sponsored by
Afilias - Mobile & Web Services
Afilias

DNS Security

Sponsored by
Afilias
Port25

Email

Sponsored by
Port25