Below is our letter we send to admins of sites that are reported to us.
To Whom it May Concern: As a frequent visitor of www.example.com, I am writing to tell you that your site is not reachable from all locations. This is due to what is called the Path MTU Discovery Blackhole (RFC 2923 - ftp://ftp.isi.edu/in-notes/rfc2923.txt). Essentially what is happening is that your site has Path MTU Discovery (PMTUD) enabled, but is not receiving the ICMP messages that are required for PMTUD to function properly. This is most likely due to ICMP filtering at your site, but may be due to a router in between. One example of this occurrence is users of DSL that use PPPoE. Such customers have links with an MTU of 1492, but machines behind that link that are connected via ethernet have an MTU of 1500. A connection between such a client and your webserver will start off transferring at 1460 (1500-40 headers) since neither side knows about the PPPoE. But the first time your webserver sends a full size packet (which will have the "Don't Fragment" bit set as is required in PMTUD), it won't fit through the PPPoE pipe. At that point the router on the ISP's side of the PPPoE tunnel will send an ICMP type 3 code 4 saying "Fragmentation is needed, but you have the Don't Fragment bit set, please send smaller packets." However, your webserver is not getting this packet. This is most likely being dropped by one of your firewalls, although it is possible a router in front of you, such as your provider, is actually dropping them. There are two solutions to this problem: A) Allow ICMP type 3 code 4 messages to reach the webserver B) Turn off Path MTU Discovery on the web server Solution A enables your webserver to use the right MSS, and does not pose a security threat, see http://www.giac.org/certified_professionals/practicals/gsec/0719.php Solution B will allow the ISP router to fragment the packets. Solution A is highly preferred as fragmentation will lead to poorer performance. For more information, and an explanation of terms and abbreviations read: ftp://ftp.isi.edu/in-notes/rfc2923.txt http://www.phildev.net/mss/ Thank you, Phil Dibowitz Richard van den Berg mss@ipom.com
This page is © Phil Dibowitz 2001 - 2009