211
1. A TCP source device sends a packet with the Don't Fragment (DF) bit set.
2. A router discards the packet that exceeds the MTU of the outgoing interface and returns an
ICMP error message. The error message contains the MTU of the outgoing interface.
3. Upon receiving the ICMP message, the TCP source device calculates the current path MTU of
the TCP connection.
4. The TCP source device sends subsequent TCP segments that each are smaller than the MSS
(MSS = path MTU – IP header length – TCP header length).
If the TCP source device still receives ICMP error messages when the MSS is smaller than 32 bytes,
the TCP source device will fragment packets.
An ICMP error message received from a router that does not support RFC 1191 has the MTU of the
outgoing interface set to 0. Upon receiving the ICMP message, the TCP source device selects the
path MTU smaller than the current path MTU from the MTU table as described in RFC 1191. Based
on the selected path MTU, the TCP source device calculates the TCP MSS. The MTU table contains
MTUs of 68, 296, 508, 1006, 1280, 1492, 2002, 4352, 8166, 17914, 32000, and 65535 bytes.
Because the minimum TCP MSS specified by the system is 32 bytes, the actual minimum MTU is 72
bytes.
After you enable TCP path MTU discovery, all new TCP connections will detect the path MTU. The
device uses the path MTU to calculate the MSS to avoid IP fragmentation.
The path MTU uses the following aging mechanism to ensure that the source device can increase
the path MTU when the minimum link MTU on the path increases:
• When the TCP source device receives an ICMP error message, it reduces the path MTU and
starts an aging timer for the path MTU.
• After the aging timer expires, the source device uses a larger MSS in the MTU table, as
described in RFC 1191.
• If no ICMP error message is received within two minutes, the source device increases the MSS
again until the MSS negotiated during TCP three-way handshake is reached.
To enable TCP path MTU discovery:
Step Command Remarks
1. Enter system view.
system-view
N/A
2. Enable TCP path MTU
discovery.
tcp path-mtu-discovery
[
aging
age-time |
no-aging
]
The default setting is
disabled.
Enabling TCP SYN Cookie
A TCP connection is established through a three-way handshake:
1. The sender sends a SYN packet to the server.
2. The server receives the SYN packet, establishes a TCP semi-connection in SYN_RECEIVED
state, and replies with a SYN ACK packet to the sender.
3. The sender receives the SYN ACK packet and replies with an ACK packet. A TCP connection is
established.
An attacker can exploit this mechanism to mount SYN Flood attacks. The attacker sends a large
number of SYN packets, but does not respond to the SYN ACK packets from the server. As a result,
the server establishes a large number of TCP semi-connections and can no longer handle normal
services.
SYN Cookie can protect the server from SYN Flood attacks. When the server receives a SYN packet,
it responds with a SYN ACK packet without establishing a TCP semi-connection. The server
To Next Page
Loading...
Need help?
General
