MTU path discovery and IPSec

Barney Wolff barney at
Thu Dec 4 23:03:38 UTC 2003

On Thu, Dec 04, 2003 at 05:54:42PM -0500, Valdis.Kletnieks at wrote:
> On Thu, 04 Dec 2003 16:40:45 EST, Joe Maimon <jmaimon at>  said:
> > I was wondering would it not be wiser for fraggers to frag in half 
> > instead of just the overflow?
> There's 2 cases here:
> 1) This is the final frag on the path - if PMTUD is in use, we want to frag
> right at the overflow so the connection can use the max (so if we're fragging
> from 1500 down to 1410, they end up with 1410 rather than 750).
> 2) There's an even more restrictive frag further downstream.  We frag from 1500
> to 1460, and somebody else frags from 1460 down to 1410.  If you frag at overflow,
> you end up with a PMTU of 1410.  If you fragged it in half, you avoid the second
> frag but end up with a PMTU of 750.
> After several dozen packets, the difference between 750 and 1410 will start to become
> noticable.....

That's not how PMTUD works.  If DF is set, you discard the packet and
report back with ICMP.  If DF is not set, you frag the packet - but
that's not PMTUD, because no report ever goes back to the sender.

Barney Wolff
I'm available by contract or FT, in the NYC metro area or via the 'Net.

More information about the NANOG mailing list