Minimum Internet MTU

Chris Brenton cbrenton at
Mon Dec 22 14:13:20 UTC 2003

On Mon, 2003-12-22 at 08:27, bill wrote:
> > Is is safe to assume
> > that 99.9% of the Internet is running on 1500 MTU or higher these days? 
> 	define safe. 

I agree, this is a bit of a loaded question. I guess by safe I mean "Is
anyone aware of a specific link or set of conditions that could cause
_legitimate_ non-last fragmented packets on the wire that have a size of
less than 1200 bytes". I agree there are bound to be inexperienced users
who have shot themselves in the foot and tweaked their personal system
lower than this threshold, thus my 99.9% requirement.

I had a couple of people e-mail me about Cisco's Pre-fragmentation
feature for IPSec. If I understand it correctly (someone please correct
me if I'm wrong), its the original datagrams that get fragmented. Thus
its the encapsulated payload that will have MF set, not the actual IPSec
packet seen on the wire. With this in mind, the exposed IP header would
just show it to be a small packet, not a small fragment. Am I off here?

> 	now that you mention it...  :)
> 	btw, what will your IDS/firewall do when presented w/ a 9k mtu?

Depends on the setup. I've actually been running this as a set of IDS
rules for a few years and have detected a few 0-day events this way. I
have not hit any false positives that I'm aware of, but then again we're
only talking my small view of the Internet. Thus my question to the
group. If anyone is going to know the answer its this crew. :)

I'm looking to move the rules into the firewall/IPS realm, but want to
be sure before I do as now we are talking blocking the traffic rather
than just recording it. First implementation would be a set of iptables
rules, with pf shortly after. I have not seen any commercial firewalls
with this type of capability, but I have not had a chance to focus on
this aspect too deeply as of yet. Checkpoint has possibilities, but
implementation would probably be beyond the typical point and click

Thanks for all the great feedback!

More information about the NANOG mailing list