Transcription

Configuration GuideContivity Secure IP Services GatewayConfigurable MTU and TCP MSS clampingContentsContents . 1Overview. 1MTU discovery . 2MSS clamping . 4MTU and VPN . 5Configurable MTU and MSS clamping on Contivity. 6MTU on Contivity . 7TCP MSS clamping on Contivity. 9DF bit on Contivity. 9Configuring MTU, MSS and DF bit . 9Configuring MTU, MSS and DF bit via GUI . 10Configuring MTU on LAN interfaces . 10Configuring TCP MSS on LAN interface. 12Configuring TCP MSS on PPPoE interface . 14Configuring MTU and TCP MSS for the Dial Interface . 16Configuring MTU and TCP MSS on WAN interface . 17Configuring MTU for the tunnel. 17Configuring DF bit for the IPSec tunnels . 19Configuring MTU and MSS via CLI . 22Event Log messages. 28Sample Configurations . 29Tunnel MTU. 29Setup. 29Configuring WS1. 29Configuring WS2. 30Configuring CES1 . 30Configuring CES2 . 38Testing configuration. 46TCP MSS Clamping . 49Setup. 49Configuring WS. 49Configuring CES . 50Configuring FTPS . 54Testing configuration. 55OverviewThe Internet is a world-wide network that provides connection between computers viatelecommunication links and enables computers to communicate with each other. TheInternet is not a homogeneous network but rather a collection of interconnected networks.Each of the networks may be built on different network elements and technologies andtherefore have different characteristics in terms of speed, throughput and bandwidth. Forexample, some of the networks might use PPPoE (Point-to-Point Protocol over Ethernet),others Ethernet, and some might use Frame Relay or ATM as their connection.Each technology used in the network has a different largest packet or datagram size it cantransmit without it needing to break it down (or fragment) into smaller units. This largestCG0403011.00March 2004Page: 1 of 60

Configuration GuideContivity Secure IP Services GatewayConfigurable MTU and TCP MSS clampingsize in bytes is known as Maximum Transmission Unit, or MTU. For example, thetypical MTU value for the Ethernet is 1500 bytes, 1492 bytes for PPPoE, 4352 bytes forthe FDDI or 4464 for 4Mbps Token Ring. The default value of the network MTU may beoverridden by the administrator due to, for example, local network needs.Larger and more consistent MTUs throughout the network may reduce or eliminate thefragmentation and thus enhance performance. Larger MTU increase systems performanceby minimizing the number of packets processed, as most of the performance costs is in“packets handled” rather than “bytes transferred”. On the other hand, for dial-upconnections it’s better to keep the MTU smaller, to maintain good interactive response.Thus care must be taken when choosing MTU values for the network, to accommodatethe needs of users, and maintain the performance of the network.MTU discoverySystems on the network have no knowledge of the MTU values used for each network orpeer systems. A mechanism called path MTU discovery is used to find out MTUparameters in other networks.Consider the situation depicted on Figure 1, Host A has a large amount of data to send toHost B and the path to Host B lies through a number of networks with different MTUvalues, so that MTU 4 MTU 1 MTU 2 MTU 3. What MTU should be used to send thedata to Host B?MTU 1MTU 2Host ANetwork 2Network 1MTU 3Network 3MTU 4Network 4Figure 1CG040301Host B1.00March 2004Page: 2 of 60

Configuration GuideContivity Secure IP Services GatewayConfigurable MTU and TCP MSS clampingWithout having any knowledge of MTU across the network Host A initially assumes thatMTU throughout the path is equal to the MTU of its first hop, or MTU 1. So Host Astarts to send the data using the MTU 1 and the Don’t Fragment (DF) bit set.Along the way the datagram reaches some router in Network 2. The router notices thatthe received data has a larger MTU than the second network can transmit, and with DFbit being set, the router in Network 2 discards the datagram. The router returns an ICMPDestination Unreachable message with a code meaning “fragmentation needed and DFbit set” back to Host A. Some routers specify the correct value for the MTU in itsnetwork in the ICMP message, so the source does not have to guess the value.Upon receipt of this message Host A reduces its assumed MTU for that path and tries tosend the datagram again. If the second attempt is successful and the selected MTU is lessor equal to the MTU 2, the router in the second network processes the packets and sendsit along the way to Network 3. If not, the process starts again until Host A sends thecorrect size.Once the datagram reaches Network 3 the same process of MTU discovery repeats. WithMTU 2 being larger than MTU 3, the router in Network 3 discards the datagram andresponds with an ICMP Destination Unreachable message to Host A. Host A adjustsMTU until the router in Network 3 agrees to process the packet, thus setting MTU toMTU 3.When the datagram reaches Network 4, MTU is equivalent to MTU 3 which is smallerthen MTU 4, so the datagram is processed and is sent to Host B.Thus, at the end Host A has learned the path MTU (the smallest MTU used along the path– MTU 3) and will use that value to send the data to Host B.For more information on path MTU discovery please consult:RFC 1191 ch 2004Page: 3 of 60

Configuration GuideContivity Secure IP Services GatewayConfigurable MTU and TCP MSS clampingMSS clampingSome routers along the way might fail to respond with the ICMP DestinationUnreachable messages for a variety of reasons ranging from router software bugs toconfiguration problems. Firewalls are often misconfigured to suppress all ICMP tomessages (Figure 2) (refer to RFC 1435 http://www.ietf.org/rfc/rfc1435.txt and RFC2923 http://www.ietf.org/rfc/rfc2923.txt). This would cause MTU discovery process tofail, as ICMP messages will not be received by the originating host. Upper layerprotocols will continue to send large packets without discovering that they need to reducethe packets size. This might lead upper layer protocols, like TCP, to fail as the connectionwill eventually time out.Host AMTU 1FirewallMTU 2- ICMP traffic- TCP trafficHost BFigure 2The solution to this problem is to use the TCP Maximum Segment Size (MSS) option.This option may be used at the time a connection is established (only) to indicate themaximum size TCP segment that can be accepted on that connection. This MaximumSegment Size announcement is sent from the data receiver to the data sender and says "Ican accept TCP segments up to size X". The size (X) may be larger or smaller than thedefault. The process of setting the maximum packet size through the MSS option isknown as MSS clamping. With MSS option being part of TCP no ICMP traffic is neededto adjust the MTU values between peers. The MSS can be used completely independentlyin each direction of data flow, as a result there can be different maximum sizes in twodirections.MSS counts only data bytes; it does not count TCP or IP headers. Therefore the value forthe MSS can be calculated as:MSS MTU – sizeof (TCP header) – sizeof (IP header)CG0403011.00March 2004Page: 4 of 60

Configuration GuideContivity Secure IP Services GatewayConfigurable MTU and TCP MSS clampingUsually a best case scenario is assumed where TCP and IP headers have minimum size of20 bytes each; this gives a modified formula for calculating the MSS:MSS MTU – 40So if MTU for Ethernet is 1500 bytes, the MSS option would be 1460 bytes.For more information on TCP MSS option please consult:RFC 879 http://www.ietf.org/rfc/rfc1191.txtMTU and VPNConsider a situation when two sites are connected via VPN tunnel and one of the sitesuses PPPoE interface as its connection to the Internet (Figure 3).Site ASite BFigure 3If tunnel MTU is larger than the PPPoE MTU of the interface, then fragmentation isrequired. If the DF (don’t fragment) bit is set or the ISP (Internet Service Provider) thatprovides the PPPoE service for Site A does not support fragmentation for PPPoE circuits,the packets will be dropped as they will be larger than the underlying PPPoE can carry.As a result there is a need to have the ability to configure MTU for the tunnels and to setor clear the DF bit.CG0403011.00March 2004Page: 5 of 60

Configuration GuideContivity Secure IP Services GatewayConfigurable MTU and TCP MSS clampingConfigurable MTU and MSS clamping on ContivityCode release V04 85 (V04 90) allows Contivity Secure IP Services Gateway to controlpacket fragmentation through: Interface MTU configuration; Tunnel MTU configuration; TCP MSS clamping; IPSec DF bit behavior configuration.Contivity allows MTU values to be configured for each of its physical and tunnelinterfaces. Furthermore, the TCP MSS option (MSS clamping) can be enabled andconfigured on physical interfaces (Figure 4).WS1WS2ContivityContivity- Tunnel MTU- Interface MTU- TCP MSSFigure 4CG0403011.00March 2004Page: 6 of 60

Configuration GuideContivity Secure IP Services GatewayConfigurable MTU and TCP MSS clampingMTU on ContivityConsider the situation depicted in Figure 5. WS1 sends initial data to WS2 with DF bitset and WS1’s assumption of the MTU used throughout the network. If fragmentation isrequired at the tunnel or interface, an ICMP message is sent back to WS1. WS1 adjuststhe size of the packets sent and the transfer continues.WS1WS2ContivityContivityICMP from tunnelICMP from interfaceFigure 5Contivity has the ability to configure MTU on a per interface basis. The default MTUvalue of all physical interfaces is 1500 to maintain backward compatibility with existingconfigurations. The maximum MTU value allowed to be assigned to an interface variesbased on the media used for the interface and layer 2 encapsulation. Thus Contivityaccepts the following maximum configurable MTU values:- Ethernet 1500,- PPPoE 1492,- WAN link 1788,- Serial 1788.Value 1788 is derived from the maximum buffer size Contivity can hold. The minimumMTU is 576.CG0403011.00March 2004Page: 7 of 60

Configuration GuideContivity Secure IP Services GatewayConfigurable MTU and TCP MSS clampingIn addition Contivity has the ability to configure MTU on tunnels. This value isconfigured per connection, so different tunnels may have different MTU settings.If MTU is not configured for the tunnel then the largest payload that goes into a tunnelwithout fragmentation (effective tunnel MTU) is derived from interface MTU and layer 3encapsulation (Table 1):Tunnel TypeIPSecPPTPL2TPL2TP over IPSecL2FTable 1Derived Effective Tunnel MTUInterface MTU - 56Interface MTU - 32Interface MTU - 40Interface MTU - 72Interface MTU - 40If MTU is configured for the tunnel the largest payload is derived from configured MTU.Note: MTU is a property of a physical interface. CLIP (Circuit Less IP) is associated withthe box and uses the loopback interface, which has MTU of 1500. CLIP/loopback MTUis not configurable.CG0403011.00March 2004Page: 8 of 60

Configuration GuideContivity Secure IP Services GatewayConfigurable MTU and TCP MSS clampingTCP MSS clamping on ContivityConsider the situation depicted in Figure 6. Suppose there is an issue with the MTUdiscovery somewhere in the Internet along the way from WS1 to WS2. If TCP MSSoption is set on the Contivity interface, that value will be used to calculate the packet sizeto be sent and TCP peers WS1 and WS2 will not send packets larger than the configuredvalue.InternetWS1WS2ContivityTCP MSSFigure 6TCP MSS clamping applies to packets that transit Contivity gateway and to packets thatoriginate or end on Contivity. TCP clamping is done on clear text packets; once packetsare encrypted the contents cannot be modified. The default value for TCP MSS iscalculated as configured MTU minus 40. TCP MSS clamping is disabled by default.DF bit on ContivityThe new version of Contivity code allows administrator to set, copy or clear DF bit forIPSec tunnels. Based on the configuration the DF bit in the outer header is set, cleared orcopied from inner header.When a packet with the DF-bit set is received by the Contivity and the packet requiresfragmentation, Contivity will drop the packet and return the ICMP error message to theoriginator. If an IPSec packet has the DF-bit set in the outer header, Contivity will beunable to return ICMP error message to the originator.The DF bit is configured on tunnels at the group level, so if several tunnels belong to thesame group all of them will inherit the DF bit functionality.Configuring MTU, MSS and DF bitThe configuration of MTU and MSS can be done via GUI or CLI.CG0403011.00March 2004Page: 9 of 60

Configuration GuideContivity Secure IP Services GatewayConfigurable MTU and TCP MSS clampingConfiguring MTU, MSS and DF bit via GUINOTE: Changing MTU and/or MSS values on interfaces and tunnels will causeinterfaces and tunnels to bounce. Changing DF bit setting will cause all tunnels in thegroup to bounce.Configuring MTU on LAN interfacesNavigate SystemÆLAN to configure MTU for LAN interfaces. The LAN Interfaces screenappears. Click Configure next to the selected interface:CG0403011.00March 2004Page: 10 of 60

Configuration GuideContivity Secure IP Services GatewayConfigurable MTU and TCP MSS clampingThe LAN InterfacesÆEdit LAN Interface screen appears. Enter the MTU value (between 576and 1500 for Ethernet) to be used for the interface (1500 is the default value for the Ethernet) andclick OK:CG0403011.00March 2004Page: 11 of 60

Configuration GuideContivity Secure IP Services GatewayConfigurable MTU and TCP MSS clampingConfiguring TCP MSS on LAN interfaceNavigate SystemÆLAN to configure TCP MSS option for the LAN interface. Click Edit next tothe interface to be configured:CG0403011.00March 2004Page: 12 of 60

Configuration GuideContivity Secure IP Services GatewayConfigurable MTU and TCP MSS clampingThe LAN InterfacesÆEdit IP Address screen appears.Select Enabled next to TCP MSS Option parameter to enable TCP MSS. Enter the TCP MSSValue to be used for the interface (1460 by default for Ethernet, MTU 1500 minus 40) and clickOK:CG0403011.00March 2004Page: 13 of 60

Configuration GuideContivity Secure IP Services GatewayConfigurable MTU and TCP MSS clampingConfiguring TCP MSS on PPPoE interfaceNavigate SystemÆLAN. Click Edit next to the PPPoE interface:CG0403011.00March 2004Page: 14 of 60

Configuration GuideContivity Secure IP Services GatewayConfigurable MTU and TCP MSS clampingThe LAN InterfacesÆEdit PPPoE Interface screen appears.Select Enabled for the TCP MSS Option parameter.Enter the TCP MSS Value to be used for that PPPoE interface (1452 by default) and click OK:CG0403011.00March 2004Page: 15 of 60

Configuration GuideContivity Secure IP Services GatewayConfigurable MTU and TCP MSS clampingConfiguring MTU and TCP MSS for the Dial InterfaceNavigate SystemÆDial Interface. The Dial Interface screen appears. Select the interface to beconfigured and click Configure:The Interface Configuration screen appears. Enter the MTU to be used for the interface (thedefault is 1500) enter the value between 576 and 1724. Check the box next to TCP MSS Optionto enable TCP MSS if MSS is required for the setup. Enter the TCP MSS Value (default 1460)and click OK:CG0403011.00March 2004Page: 16 of 60

Configuration GuideContivity Secure IP Services GatewayConfigurable MTU and TCP MSS clampingConfiguring MTU and TCP MSS on WAN interfaceNavigate SystemÆWAN. The rest of the configuration is done in the same manner as for DialInterface. Select the dial interface, click Configure, enable the TCP MSS option and set thevalue.Configuring MTU for the tunnelNavigate ProfilesÆBranch Office. Select the branch office interface to be configured and clickConfigure:CG0403011.00March 2004Page: 17 of 60

Configuration GuideContivity Secure IP Services GatewayConfigurable MTU and TCP MSS clampingThe Connection Configuration screen appears. Scroll down to the MTU section. Select whetherMTU should be Enabled from the drop down list. Set the MTU Value to be used (the default isset to 1788). Click OK at the bottom of the screen:CG0403011.00March 2004Page: 18 of 60

Configuration GuideContivity Secure IP Services GatewayConfigurable MTU and TCP MSS clampingConfiguring DF bit for the IPSec tunnelsNavigate ProfilesÆBranch Office. Select the Group the tunnel belongs to and click Configurenext to the group:CG0403011.00March 2004Page: 19 of 60

Configuration GuideContivity Secure