Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTDEV
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


WFP and MTU

Haitham_ElkhiderHaitham_Elkhider Member Posts: 16
Hello,

I have been wondering about MTU and MSS, if you would like to create your own VPN encapsulation mechanism, adding a new IP header to encapsulate the old header (just as an example) so you will have 20 Bytes of IP header + 8 Bytes for the new UDP header = 28 Bytes extra overhead .

Now if the MTU on the windows machine is 1500 on that interface, without creating a new interface , how could we send our new encapsulated packet of 1528 Bytes without Fragmentation ?

Thanks in advance ,

Comments

  • Tim_RobertsTim_Roberts Member - All Emails Posts: 13,450
    [email protected] wrote:
    > I have been wondering about MTU and MSS, if you would like to create your own VPN encapsulation mechanism, adding a new IP header to encapsulate the old header (just as an example) so you will have 20 Bytes of IP header + 8 Bytes for the new UDP header = 28 Bytes extra overhead .
    >
    > Now if the MTU on the windows machine is 1500 on that interface, without creating a new interface , how could we send our new encapsulated packet of 1528 Bytes without Fragmentation ?

    You can't. But why do you care? The fragments will be reassembled at
    the other end, and no one is the wiser.

    --
    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • Jan_BottorffJan_Bottorff Member - All Emails Posts: 471
    IPv6 doesn’t use fragmentation, and it’s seriously frowned on for IPv4.

    Most VPN’s I’ve seen create a virtual NIC, which declares it’s MTU to be smaller than 1500. If your VPN is implemented as a filter, you probably need to filter the MTU reporting OIDs and reduce the MTU by your header size.

    Jan


    On 1/31/17, 1:01 AM, "[email protected] on behalf of [email protected]" <[email protected] on behalf of [email protected]> wrote:

    Hello,

    I have been wondering about MTU and MSS, if you would like to create your own VPN encapsulation mechanism, adding a new IP header to encapsulate the old header (just as an example) so you will have 20 Bytes of IP header + 8 Bytes for the new UDP header = 28 Bytes extra overhead .

    Now if the MTU on the windows machine is 1500 on that interface, without creating a new interface , how could we send our new encapsulated packet of 1528 Bytes without Fragmentation ?

    Thanks in advance ,




    ---
    NTDEV is sponsored by OSR

    Visit the list online at: <http://www.osronline.com/showlists.cfm?list=ntdev&gt;

    MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
    Details at <http://www.osr.com/seminars&gt;

    To unsubscribe, visit the List Server section of OSR Online at <http://www.osronline.com/page.cfm?name=ListServer&gt;
  • David_R._CattleyDavid_R._Cattley Member - All Emails Posts: 2,115
    > I have been wondering about MTU and MSS

    Go read about how IPSec and PMTU work. What you have just described is Tunnel Mode ESP with null encryption or alternatively IP-in-IP. The behavior of both of these encapsulation techniques is well documented.

    Good Luck,
    Dave Cattley
  • Haitham_ElkhiderHaitham_Elkhider Member Posts: 16
    Tim
    >You can't. But why do you care? The fragments will be reassembled at
    the other end, and no one is the wiser.

    The problem with fragmentation is that it might hit the performance of throughput in case of high transmission speed , 2 packets instead of 1 in the worst cases, what do you think ?

    Jan:
    >If your VPN is implemented as a filter, you probably need to filter the MTU reporting OIDs and reduce the MTU by your header size.

    Can you elaborate just a little more ? filter the MTU reporting OIDs ?

    I have been thinking about reducing MSS (by 28 Bytes) but im talking UDP encapsulation now, also increasing the MTU of the general interface to 1528 might work , then what about the next hop communication ? aka the home router, if the MTU is fixed to 1500 there we can not exceed that .

    David:
    >Go read about how IPSec and PMTU work.
    Yes Exactly ipsec was on my mind when i was trying to figure it out , but then there is no any ipsec implementation i seen for WFP, the whole story is confusing me to be honest .

    Guidance would be super appreciated .
  • MBondMBond Member - All Emails Posts: 846
    I suggest that you start by reading something on the Cisco website about these topics. The articles they have are not designed for programmers and do nothing but cover the concepts, but you should be able to understand how they modify these value in packets as they traverse the network for their own purposes. A classic example is dialup internet access via PPPoE



    As you have already heard, the solution to maintaining performance while in the presence of an encapsulation protocol is to present a smaller value for MTU & MSS to the application (TCP stack in this case) than the true network can support to prevent the need for fragmentation of full frame packets. Effectively reserving space for your headers (of whatever size) has little tangible effect on short packets and avoids worst case behaviour on connections that transmit a continuous stream of full frames.



    How exactly you implement this in your Windows driver depends to a great degree on how you have designed your encapsulation. At least encapsulation can be designed as a dialup interface, a virtual interface, a protocol driver and or filter ? and they all have different solutions for this problem in your code.



    Sent from Mail for Windows 10



    From: [email protected]
    Sent: February 1, 2017 5:27 AM
    To: Windows System Software Devs Interest List
    Subject: RE:[ntdev] WFP and MTU



    Tim
    >You can't. But why do you care? The fragments will be reassembled at
    the other end, and no one is the wiser.

    The problem with fragmentation is that it might hit the performance of throughput in case of high transmission speed , 2 packets instead of 1 in the worst cases, what do you think ?

    Jan:
    >If your VPN is implemented as a filter, you probably need to filter the MTU reporting OIDs and reduce the MTU by your header size.

    Can you elaborate just a little more ? filter the MTU reporting OIDs ?

    I have been thinking about reducing MSS (by 28 Bytes) but im talking UDP encapsulation now, also increasing the MTU of the general interface to 1528 might work , then what about the next hop communication ? aka the home router, if the MTU is fixed to 1500 there we can not exceed that .

    David:
    >Go read about how IPSec and PMTU work.
    Yes Exactly ipsec was on my mind when i was trying to figure it out , but then there is no any ipsec implementation i seen for WFP, the whole story is confusing me to be honest .

    Guidance would be super appreciated .


    ---
    NTDEV is sponsored by OSR

    Visit the list online at:

    MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
    Details at

    To unsubscribe, visit the List Server section of OSR Online at
Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Kernel Debugging 30 Mar 2020 OSR Seminar Space
Developing Minifilters 15 Jun 2020 LIVE ONLINE
Writing WDF Drivers 22 June 2020 LIVE ONLINE
Internals & Software Drivers 28 Sept 2020 Dulles, VA