Minimum Internet MTU

Chris_Brenton · December 22, 2003, 12:49pm

Greetings all,

I'm working with a few folks on firewall and IDS rules that will flag
suspicious fragmented traffic. I know the legal minimum of a
non-terminal fragment is 28 bytes, but given non-terminals should
reflect the MTU of the topologies along the link, this number is far
lower than what I expect you should see for legitimate fragmentation in
the wild.

A few years back I noted some 512-536 MTU links in ASIA. I've been doing
some testing and can't seem to find them anymore. Is is safe to assume
that 99.9% of the Internet is running on 1500 MTU or higher these days?

I know some people artificially set their end point MTU a bit lower
(like 1400) to deal with things like having their traffic encapsulated
by GRE or IPSec. With this in mind, would we be safe to flag/drop/what
ever all fragments smaller than 1200 bytes that are not last fragments
(i.e., more fragments is still set)? Does anyone maintain, or is aware,
of links that would not meet this 1200 MTU?

Any and all feedback would be greatly appreciated,
C

Hani_Mustafa · December 22, 2003, 1:57pm

by GRE or IPSec. With this in mind, would we be safe to flag/drop/what
ever all fragments smaller than 1200 bytes that are not last fragments
(i.e., more fragments is still set)?

No. Check previous thread about IPSec and MTU. Some IPSec implementations split the greater-than-mtu sized packet in half in order to avoid the possibility of further fragmentation down the road, thus better performance.

~Hani Mustafa

Jun-ichiro_itojun_Ha · December 22, 2003, 11:33pm

I'm working with a few folks on firewall and IDS rules that will flag
suspicious fragmented traffic. I know the legal minimum of a
non-terminal fragment is 28 bytes, but given non-terminals should
reflect the MTU of the topologies along the link, this number is far
lower than what I expect you should see for legitimate fragmentation in
the wild.

A few years back I noted some 512-536 MTU links in ASIA. I've been doing
some testing and can't seem to find them anymore. Is is safe to assume
that 99.9% of the Internet is running on 1500 MTU or higher these days?

  there are many deployment of DSL-based layer 2 providers, which
  use L2TP (or whatever) tunnelling as well as PPPoE to associate
  end clients to layer 3 ISPs. they enforce MTU like 1450 or lower.
  in Japan, NTT east/west (NTT is a previously-government-owned telco)
  provide such service and enforce MTU of 1454.

itojun