解决GRE和IPSEC中的
IP分段、MTU、MSS和PMTUD问题
1、前言
The purpose of this document is to present how IP Fragmentation and Path Maximum Transmission Unit Discovery (PMTUD) work and to discuss some scenarios involving the behavior of PMTUD when combined with different combinations of IP tunnels. The current widespread use of IP tunnels in the Internet has brought the problems involving IP Fragmentation and PMTUD to the forefront. 本文档旨在介绍IP分段和路径最大传输单元发现(PMTUD)的工作原理,并对PMTUD与不同IP隧道组合结合时的行为相关的一些方案进行探讨。当前,IP隧道在Internet中的广泛应用使IP分段和PMTUD相关的问题日益凸显出来。
2、IP分段与重组
The IP protocol was designed for use on a wide variety of transmission links. Although the maximum length of an IP datagram is 64K, most transmission links enforce a smaller maximum packet length limit, called a MTU. The value of the MTU depends on the type of the transmission link. The design of IP accommodates MTU differences by allowing routers to fragment IP datagrams as necessary. The receiving station is responsible for reassembling the fragments back into the original full size IP datagram. IP fragmentation involves breaking a datagram into a number of pieces that can be reassembled later. The IP source, destination, identification, total length, and fragment offset fields, along with the \
1
header, are used for IP fragmentation and reassembly. For more information about the mechanics of IP fragmentation and reassembly, please see RFC 791
IP协议是专为用于各种传输链路而设计的。虽然IP数据报的最大长度是64K,但大多数传输链路会强制执行更小的最大数据包长度限制(称为MTU)。MTU的值取决于传输链路的类型。IP设计允许路由器根据需要对IP数据报进行分段,从而适应MTU差异。接收站负责将这些分段重新重组为完整大小的原始IP数据报。
IP分段包括将数据报分为多个部分,可在稍后重组这些部分。IP源、目标、标识、总长度和分段偏移字段,以及IP报头中的“更多分段”标志和“不分段”标志均用于IP分段与重组。有关IP分段与重组的机制的详细信息,请参阅RFC791。
下图描述了IP报头的布局
The identification is 16 bits and is a value assigned by the sender of an IP datagram to aid in reassembling the fragments of a datagram.
The fragment offset is 13 bits and indicates where a fragment belongs in the original IP datagram. This value is a multiple of
2
eight bytes.
In the flags field of the IP header, there are three bits for control flags. It is important to note that the \(DF) bit plays a central role in PMTUD because it determines whether or not a packet is allowed to be fragmented.
Bit 0 is reserved, and is always set to 0. Bit 1 is the DF bit (0 = \= \
标识值为16位,该值由IP数据报的发送者指定,用于帮助重组数据报的分段。
分段偏移为13位,指示分段在原始 IP 数据报中的所属位置。该值是8个字节的倍数。
在IP报头的标志字段中,有三位用于控制标志。请务必注意,“不分段”(DF)位在PMTUD中发挥着中心作用,这是因为它确定是否允许对数据包进行分段。
位0为保留位,并且始终设置为0。位1为DF位(0=“可分段”,1 =“不分段”)。位2为MF位(0 =“最后一个分 段”,1 =“更多分段”)。
值 0 1 位 0(保留) 0 0 位 1 (DF) 5月 不分段 位 2 (MF) 为时 更多
The graphic below shows an example of fragmentation. If you add up all the lengths of the IP fragments, the value exceeds the original IP datagram length by 60. The reason that the overall length is increased by 60 is because three additional IP headers were created, one for each fragment after the first fragment.
3
The first fragment has an offset of 0, the length of this fragment is 1500; this includes 20 bytes for the slightly modified original IP header.
The second fragment has an offset of 185 (185 x 8 = 1480), which means that the data portion of this fragment starts 1480 bytes into the original IP datagram. The length of this fragment is 1500; this includes the additional IP header created for this fragment.
The third fragment has an offset of 370 (370 x 8 = 2960), which means that the data portion of this fragment starts 2960 bytes into the original IP datagram. The length of this fragment is 1500; this includes the additional IP header created for this fragment. The fourth fragment has an offset of 555 (555 x 8 = 4440), which means that the data portion of this fragment starts 4440 bytes into the original IP datagram. The length of this fragment is 700 bytes; this includes the additional IP header created for this fragment.
It is only when the last fragment is received that the size of the original IP datagram can be determined.
The fragment offset in the last fragment (555) gives a data offset of 4440 bytes into the original IP datagram. If you then add the data bytes from the last fragment (680 = 700 - 20), that gives you 5120 bytes, which is the data portion of the original IP datagram. Then, adding 20 bytes for an IP header equals the size of the original IP datagram (4440 + 680 + 20 = 5140).
下图显示了一个分段示例。如果将所有IP分段的长度相加,所得的值将比原始IP数据报的长度大60。总长度增加了60是因为另外创建了三个IP
4
报头(第一个分段后的每个分段各对应一个IP报头)。
第一个分段的偏移为0,此分段的长度为1500;这包括已略作修改的原始IP报头所对应的20个字节。
第二个分段的偏移为185(185 x 8 = 1480),这意味着此分段的数据部分从原始IP数据报的第1480个字节开始。此分段的长度为1500;这包括另外为此分段创建的IP报头。
第三个分段的偏移为370(370 x 8 = 2960),这意味着此分段的数据部分从原始 IP 数据报的第2960个字节开始。此分段的长度为1500;这包括另外为此分段创建的IP报头。
第四个分段的偏移为555(555 x 8 = 4440),这意味着此分段的数据部分从原始IP数据报的第4440个字节开始。此分段的长度为700个字节;这包括另外为此分段创建的IP报头。
只有在收到了最后一个分段时,才能确定原始IP数据报的大小。 通过最后一个分段的分段偏移(555),得出原始IP数据报中的数据偏移为4440个字节。如果再加上最后一个分段中的数据字节(680 = 700 - 20),这样您将获得5120个字节,这是原始IP数据报的数据部分。然后,加上IP报头的20个字节,即等于原始IP数据报的大小(4440 + 680 + 20 = 5140)。
5