TCPIP MTU settings

Michael H. Warfield mhw at wittsend.com
Mon Jul 19 11:09:20 EDT 1999


guy.raymakers at europe.eds.com enscribed thusly:

> Hi,

> We have discovered following problem

> The remote network (offices) have a NT server and an IPsec enabled router. The
> router encapsulates the TCP/IP packets into IPsec packets.  When using the
> default tcpip MTU ( = 1500), on the NT server,  we get problems when doing file
> transfers. When we lower the tcpip MTU to 1444 we don't have these problems.
> The remote office ISP is a different one then our ISP.

> Does anyone had similar experiences ?

	Not real surprising.  IPsec adds additional headers for encryption
(ESP) and authentication (AH) to the IP datagram.  That increases the length
of the datagram and forces it to be fragmented if you are running over a
hop with an identical MTU.  AFAIK, MS Windows still doesn't support (or at
least properly support) MTU discovery.  This has the net effect that if
Windows is sending at its MTU and crosses a link where the MTU is smaller
(or the packet must be grown, thus reducing the effective MTU) you end
up doubling the number of packets sent.  The number of bytes does not
go up as dramatically, but you are adding additional IP headers, along
with their AH and ESP headers, so the data does go up some as well.
If Windows did support MTU discovery, it would automagically back down its
own MTU until it could successfully communicate end to end without
fragmentation.  That would avoid this problem.  They don't, so you have to
do it manually, as you have done.  Oh well...  Have a nice day.

> regards,
> Guy

	Mike
-- 
 Michael H. Warfield    |  (770) 985-6132   |  mhw at WittsEnd.com
  (The Mad Wizard)      |  (770) 925-8248   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!

****************************************************************
TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com

The VPN FAQ (under construction) is available at
http://kubarb.phsx.ukans.edu/~tbird/FAQ.html

We are currently experiencing "unsubscribe" difficulties.  If you
wish to unsubscribe, please send a message containing the single line
"unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com

****************************************************************




More information about the VPN mailing list