header field that is labeled \RFC 792
Early implementations of RFC 1191 did not supply the next hop MTU information. Even when this information was supplied, some hosts ignore it. For this case, RFC 1191 also contains a table that lists the suggested values by which the MTU should be lowered during PMTUD. It is used by hosts to arrive more quickly at a reasonable value for the send MSS.
根据RFC1191,如果路由器返回的ICMP消息指示“需要分段和设置DF”,则该路由器应在ICMP附加报头字段的低顺序16位中包括下一跳网络的MTU,该字段在ICMP规范RFC792中标记为“未使用”。
RFC1191的早期实现未提供下一跳MTU信息。即使提供了此信息,某些主机也会忽略它。在本例中,RFC1191还包含一个表,该表中列出了应在PMTUD期间降低的MTU建议值。通过使用这些值,主机可以更快地获取发送MSS的合理值。
16
PMTUD is done continually on all packets because the path between sender and receiver can change dynamically. Each time a sender receives a \the routing information (where it stores the PMTUD).
Two possible things can happen during PMTUD:
?The packet can get all the way to the receiver without being fragmented.
Note: In order for a router to protect the CPU against DoS attacks, it throttles the number of ICMP unreachable messages that it would send, to two per second. Therefore, in this context, if you have a network scenario in which you expect that the router would need to respond with more than two ICMP (code = 3, type = 4) per second (can be different hosts), you would want to disable the throttling of ICMP messages with the no ip icmp rate-limit unreachable [df] interface command.
?The sender can get ICMP \every) hop along the path to the receiver.
PMTUD is done independently for both directions of a TCP flow. There may be cases where PMTUD in one direction of a flow triggers one of the end stations to lower the send MSS and the other end station keeps the original send MSS because it never sent an IP datagram large enough to trigger PMTUD.
由于发送者和接收者之间的路径会动态发生变化,因此将在所有数据包上持续执行PMTUD。每当发送者收到“无法分段”的ICMP消息时,它都会更新路由信息(PMTUD存储在路由信息中)。
执行PMTUD时,可能会发生以下两种情况: ? 数据包可以一直发送到接收者,而不必分段。
注意:为了使路由器能够保护CPU免受DoS攻击,它将发送的无法到达的 ICMP消息数目限制为2条/秒。因此,在此种情况下,如果您想创建一个网络
17
方案,在该方案中,路由器需要每秒响应超过两条ICMP(代码 = 3,类型 = 4)(可以是不同主机),您将需要使用:
no ip icmp rate-limit unreachable [df] interface命令禁用此ICMP消息节流。
? 发送器可以从接收器路径中的任何(或每一)跳沿路径获得ICMP\不能
分段\信息。
PMTUD在TCP流量的两个方向上独立执行。有时候某个流量方向的PMTUD可能触发其中一个终端站以降低发送MSS,而另一个终端站从不发送足以触发PMTUD的IP数据报,因此将保留原始发送MSS。
A good example of this is the HTTP connection depicted below in Scenario 3. The TCP client is sending small packets and the server is sending large packets. In this case, only the servers large packets (greater than 576 bytes) will trigger PMTUD. The client's packets are small (less than 576 bytes) and will not trigger PMTUD because they do not require fragmentation to get across the 576 MTU link.
下面场景3中描述的HTTP连接就是一个很好的示例。TCP客户端正在发送小型数据包,而服务器正在发送大型数据包。在这种情况下,只有服务器的大型数据包(大于576字节)才会触发PMTUD。客户端的数据包相对较小(小于576字节),将不会触发PMTUD,这是因为它们无需进行分段即可通过 576 MTU 链路。
场景 3
Scenario 4 shows an asymmetric routing example where one of the paths has a smaller minimum MTU than the other. Asymmetric routing occurs when different paths are taken for sending and receiving data between two endpoints. In this scenario, PMTUD will trigger
18
the lowering of the send MSS only in one direction of a TCP flow. The traffic from the TCP client to the server flows through Router A and Router B, whereas the return traffic coming from the server to the client flows through Router D and Router C. When the TCP server sends packets to the client, PMTUD will trigger the server to lower the send MSS because Router D must fragment the 4092 byte packets before it can send them to Router C.
The client, on the other hand, will never receive an ICMP \
\fragment packets when sending to the server through Router B.
场景4显示的是不对称路由示例,在该示例中,其中一条路径的最小MTU小于另一路径的最小MTU。当在两个端点之间采用不同路径来发送和接收数据时,就会出现非对称路由。在此方案中,PMTUD仅在TCP流量的一个方向上触发对发送MSS的降低操作。从TCP客户端到服务器的数据流经过路由器A和路由器B,而服务器到客户端的回程数据流则经过路由器D和路由器C。当TCP服务器向客户端发送数据包时,PMTUD将触发服务器以降低发送MSS的值,因为路由器D必须对4092字节的数据包进行分段,然后才能将其发送到路由器C。
另一方面,客户端从不会收到带有“需要分段和设置DF”代码的“无法到达目标”的ICMP消息,这是因为路由器A在通过路由器B将数据包发送到服务器时,不必对数据包进行分段。
场景 4
19
注意:ip tcp path-mtu-discovery命令用于对路由器启动的TCP连接(例如,BGP和Telnet)启用TCP MTU路径发现。
7、PMTUD 问题
There are three things that can break PMTUD, two of which are uncommon and one of which is common.
?A router can drop a packet and not send an ICMP message. (Uncommon)
?A router can generate and send an ICMP message but the ICMP message gets blocked by a router or firewall between this router and the sender. (Common)
?A router can generate and send an ICMP message, but the sender ignores the message. (Uncommon)
The first and last of the three bullets above are uncommon and are usually the result of an error, but the middle bullet describes a common problem. People that implement ICMP packet filters tend to block all ICMP message types rather than only blocking certain ICMP message types. A packet filter can block all ICMP message types except those that are \or failure of PMTUD hinges upon ICMP unreachable messages getting through to the sender of a TCP/IP packet. ICMP time-exceeded messages are important for other IP issues. An example of such a packet filter, implemented on a router is shown below.
access-list 101 permit icmp any any unreachable access-list 101 permit icmp any any time-exceeded access-list 101 deny icmp any any access-list 101 permit ip any any
20