[c-nsp] TCP MSS CLAMPING issue

Gert Doering gert at greenie.muc.de
Sun Jan 23 13:32:02 EST 2022


On Sun, Jan 23, 2022 at 06:58:29PM +0100, james list wrote:
> > It's "the Internet".  Pointing at clients as being "non compliant" is
> > not going to fix your server's operation - otherwise, all this fiddling
> > with TCP/MSS would not even be necessary in the first place.
> > (Another option would be, of course, to fix your network :-) - so 1500
> > byte packets can get through, and no need to reduce the client's MSS)
> I guess that nowadays almost all the companies (with a name) rely upon
> antiDDOS systems using GRE hence I'm wondering why you say we need to fix
> something on our side.

Well.  You could have direct connections to those AntiDDoS providers,
thus, no MTU issue.  Or they could fragment inside the GRE tunnels,
or send ICMP packet too big back to the sender.

Lots of ways to deal with "reduced MTU" in IPv4 land, if you must have
a segment with reduced MTU.

We do not use AntiDDoS providers that can only do GRE, so, no, not
"all companies with a name".  We have a direct handoff (using a DECIX
virtual service with 1500 MTU).

(Why does your firewall go into "must use SYN/ACK spoofing mode!!!" if
you have a DDoS provider in the path that should be dealing with that?)

> If there are RFC (=law) I'd expect those are followed, otherwise you cannot
> complain, am I wrong ?

This is The Internet.  You will find any sort of non-compliant implementation
out there - and by deviating from commonly established behaviour ("send a
MSS value in SYN/ACK") you're triggering code paths in client implementations
that are less tested, and might be just buggy.  Or rely on interface MTU
and PMTU detection (= ICMP packet too big).

But you can't fix the clients.  They are what they are.

"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
                             Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany                             gert at greenie.muc.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 630 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20220123/427cccaa/attachment.sig>

More information about the cisco-nsp mailing list