WFP and MTU

Hello,

I have been wondering about MTU and MSS, if you would like to create your own VPN encapsulation mechanism, adding a new IP header to encapsulate the old header (just as an example) so you will have 20 Bytes of IP header + 8 Bytes for the new UDP header = 28 Bytes extra overhead .

Now if the MTU on the windows machine is 1500 on that interface, without creating a new interface , how could we send our new encapsulated packet of 1528 Bytes without Fragmentation ?

Thanks in advance ,

xxxxx@gmail.com wrote:

I have been wondering about MTU and MSS, if you would like to create your own VPN encapsulation mechanism, adding a new IP header to encapsulate the old header (just as an example) so you will have 20 Bytes of IP header + 8 Bytes for the new UDP header = 28 Bytes extra overhead .

Now if the MTU on the windows machine is 1500 on that interface, without creating a new interface , how could we send our new encapsulated packet of 1528 Bytes without Fragmentation ?

You can’t. But why do you care? The fragments will be reassembled at
the other end, and no one is the wiser.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

IPv6 doesn’t use fragmentation, and it’s seriously frowned on for IPv4.

Most VPN’s I’ve seen create a virtual NIC, which declares it’s MTU to be smaller than 1500. If your VPN is implemented as a filter, you probably need to filter the MTU reporting OIDs and reduce the MTU by your header size.

Jan

On 1/31/17, 1:01 AM, “xxxxx@lists.osr.com on behalf of xxxxx@gmail.com” wrote:

Hello,

I have been wondering about MTU and MSS, if you would like to create your own VPN encapsulation mechanism, adding a new IP header to encapsulate the old header (just as an example) so you will have 20 Bytes of IP header + 8 Bytes for the new UDP header = 28 Bytes extra overhead .

Now if the MTU on the windows machine is 1500 on that interface, without creating a new interface , how could we send our new encapsulated packet of 1528 Bytes without Fragmentation ?

Thanks in advance ,


NTDEV is sponsored by OSR

Visit the list online at: http:

MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
Details at http:

To unsubscribe, visit the List Server section of OSR Online at http:</http:></http:></http:>

> I have been wondering about MTU and MSS

Go read about how IPSec and PMTU work. What you have just described is Tunnel Mode ESP with null encryption or alternatively IP-in-IP. The behavior of both of these encapsulation techniques is well documented.

Good Luck,
Dave Cattley

Tim

You can’t. But why do you care? The fragments will be reassembled at
the other end, and no one is the wiser.

The problem with fragmentation is that it might hit the performance of throughput in case of high transmission speed , 2 packets instead of 1 in the worst cases, what do you think ?

Jan:

If your VPN is implemented as a filter, you probably need to filter the MTU reporting OIDs and reduce the MTU by your header size.

Can you elaborate just a little more ? filter the MTU reporting OIDs ?

I have been thinking about reducing MSS (by 28 Bytes) but im talking UDP encapsulation now, also increasing the MTU of the general interface to 1528 might work , then what about the next hop communication ? aka the home router, if the MTU is fixed to 1500 there we can not exceed that .

David:

Go read about how IPSec and PMTU work.
Yes Exactly ipsec was on my mind when i was trying to figure it out , but then there is no any ipsec implementation i seen for WFP, the whole story is confusing me to be honest .

Guidance would be super appreciated .

I suggest that you start by reading something on the Cisco website about these topics. The articles they have are not designed for programmers and do nothing but cover the concepts, but you should be able to understand how they modify these value in packets as they traverse the network for their own purposes. A classic example is dialup internet access via PPPoE

As you have already heard, the solution to maintaining performance while in the presence of an encapsulation protocol is to present a smaller value for MTU & MSS to the application (TCP stack in this case) than the true network can support to prevent the need for fragmentation of full frame packets. Effectively reserving space for your headers (of whatever size) has little tangible effect on short packets and avoids worst case behaviour on connections that transmit a continuous stream of full frames.

How exactly you implement this in your Windows driver depends to a great degree on how you have designed your encapsulation. At least encapsulation can be designed as a dialup interface, a virtual interface, a protocol driver and or filter ? and they all have different solutions for this problem in your code.

Sent from Mailhttps: for Windows 10

From: xxxxx@gmail.commailto:xxxxx
Sent: February 1, 2017 5:27 AM
To: Windows System Software Devs Interest Listmailto:xxxxx
Subject: RE:[ntdev] WFP and MTU

Tim
>You can’t. But why do you care? The fragments will be reassembled at
the other end, and no one is the wiser.

The problem with fragmentation is that it might hit the performance of throughput in case of high transmission speed , 2 packets instead of 1 in the worst cases, what do you think ?

Jan:
>If your VPN is implemented as a filter, you probably need to filter the MTU reporting OIDs and reduce the MTU by your header size.

Can you elaborate just a little more ? filter the MTU reporting OIDs ?

I have been thinking about reducing MSS (by 28 Bytes) but im talking UDP encapsulation now, also increasing the MTU of the general interface to 1528 might work , then what about the next hop communication ? aka the home router, if the MTU is fixed to 1500 there we can not exceed that .

David:
>Go read about how IPSec and PMTU work.
Yes Exactly ipsec was on my mind when i was trying to figure it out , but then there is no any ipsec implementation i seen for WFP, the whole story is confusing me to be honest .

Guidance would be super appreciated .


NTDEV is sponsored by OSR

Visit the list online at: http:

MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
Details at http:

To unsubscribe, visit the List Server section of OSR Online at http:</http:></http:></http:></mailto:xxxxx></mailto:xxxxx></https:>