[Shorewall-users] Way OT: MSS/MTU question.

Joshua Banks l0f33t at yahoo.com
Mon Dec 15 14:37:40 PST 2003

--- chris <ck2 at softhome.net> wrote:
> Joshua Banks wrote:
> >Hello,
> >
> >I've been trying to track down the answer to this and am coming up
> >empty handed. I'm hoping someone might shed some light on the
> >following regarding mtu/mss values.
> >
> >When I do: "netstat -rn"  or "route -nee"
> >
> >Why is the "mss" value "40" ? Everything works just fine. (e.g...
> >downloading email attatchments and doing file tranfers so I'm
> >thinking that this is a bug of some sort.)
> >  
> >
> Well, from what I remember, the MSS value isn't determined by YOU,
> it's 
> set by the RECEIVER of the segment.  Therefore, it's possible that 
> during the establishment of the connections you showed, the receivers
> set the MSS to 40.

Not really. Packet sniffing helped by some backing of some RFC's.
Mainly  732 and now replaced by RFC 1122. In the initial tcp start or
circuit setup sequence, each system knows its MTU value and sends its
max MSS value -40 bytes for the IP and TCP headers. (these are the
minimum values) In actuallity IP packets have a 20 byte header, with a
maximum of 60 bytes being used for data. Tcp segments have same type of
value sizes.. And although RFC 1122 states that TCP implementations
must set aside 40 bytes of data when a segment is created, this isn't
always enough. (by the way I'm taking some of this info from a book as
well called "Internet Core Protocols" The definitive guide. O'Reilly

I actually had to go out and buy a book to help translate some of the
RFC engineering jargon. Pretty dry stuff. Anyways...

> OTOH, the MTU value IS set by you...and fragmented as needed as it 
> travels through networks with smaller MTU values....

This is where Path MTU comes into play and this is where, as Tom puts
it so nicely when talking about CLAMPMSS:

"This is used to overcome criminally braindead ISPs or servers which
#    block ICMP Fragmentation Needed packets.  The symptoms of this
#    problem are that everything works fine from your Linux
#    firewall/router, but machines behind it can never exchange large
#    packets:
#        1) Web browsers connect, then hang with no data received.
#        2) Small mail works fine, but large emails hang.
#        3) ssh works fine, but scp hangs after initial handshaking."

I think that this is part the problem that one of the Shorewall users
is facing. Undetermined as of yet though. 

> >I know that -IP header (20 bytes) and -TCP heard (20 bytes) would
> give
> >you MTU -40 bytes wich would give you a MSS value or 1460 bytes for
> >ethernet. Does anyone have any ideas why or links that point to an
> >explanation of this low MSS value.
> >
> Not really following how you're making this calculation, but both TCP
> and IP headers are a minimum of 20 bytes and can go as high as 60
> bytes 
> with the available options.  Adding these two together doesn't
> determine 
> your MTU since the final frame (which is where the MTU matters) is
> made 
> up of MORE than just the IP and TCP headers. 

Correct... but I'm taking the rfc into consideration here.

> Another thing, MSS is the size of the DATA package in the TCP 
> segment...NOT the size of the header or header plus data.  The name
> Max 
> Segment Size is really a misnomer since the size of the MSS does not 
> include the size of the header....only the size of the data.

Correct. And thats basically what I stated above. In more words or less
using the RFC. max MSS= max MTU -40? Packet sniff and you will see. :P
> Hope maybe this helps somehow.

Yes, any opinions help me make sure that I'm not understanding
something incorrectly Chris. Thanks for the response.

Joshua Banks

Do you Yahoo!?
New Yahoo! Photos - easier uploading and sharing.

More information about the Shorewall-users mailing list