WP What Is MTU & MSS | Fragmentation Explained | Imperva

MTU and MSS: What You Need to Know

60.8k views
Cybersecurity 101

MTU and MSS are two important terms you should be familiar with when you jump into the networking world, and especially if you are working with GRE tunnels and IPSEC.

Maximum Transmission Unit (MTU)

MTU is the largest packet or frame size, specified in octets (eight-bit bytes) that can be sent in a packet- or frame-based network. The internet’s transmission control protocol (TCP) uses the MTU to determine the maximum size of each packet in any transmission.

MTU is usually associated with the Ethernet protocol, where a 1500-byte packet is the largest allowed.

What is Fragmentation?

One of the most common problems related to MTU is that sometimes higher-level protocols may create packets larger than a particular link supports.

To get around this issue, IPv4 allows fragmentation, which divides the datagram (the basic information unit transferred in a packet-switched network) into pieces. Each piece is small enough to pass over the link it is fragmented for, using the MTU parameter configured for that interface.

The fragmentation process takes place at the IP layer (OSI layer 3), which marks packets as fragmented. This ensures the IP layer of the destination host knows it should reassemble the packets into the original datagram.

Fragmentation is not supported by some applications, and so should be avoided. The best way to avoid fragmentation is to adjust the TCP Maximum Segment Size (MSS), explained below.

MTU Example: Anatomy of a Datagram

The following diagram illustrates what MTU looks like in a typical network data transmission. The common value of MTU on the internet is 1500 bytes.

MTU Unit

The MTU is built of:

  • A payload, with 1460 bytes
  • The TCP and IP headers, with 20 bytes each

Consider that you want to implement the generic routing encapsulation (GRE) protocol, a tunneling protocol that lets you encapsulate network-layer protocol in a virtual IP link.

The following image shows the same datagram with GRE encapsulation, which adds 24 bytes for the GRE header.

GRE Header

The total size of this kind of packet is 1524 bytes, exceeding the 1500 bytes MTU value. In order to keep to an MTU of 1500, you can decrease the “data” size of the packet. The mechanism that makes this possible is MSS.

What Is TCP MSS?

TCP MSS is a parameter in the options field of the TCP header, which defines the maximum segment size. It specifies the largest amount of data, specified in bytes, that a computer or communications device can receive in a single TCP segment.

MSS does not include the TCP header or the IP header. Rather, it dictates the maximum size of the “data” part of the packet. Using the GRE tunneling example in the previous section, because the size of total headers is 64, the TCP MSS value should be set to 1436 or lower, to ensure that fragmentation is not needed.

What Is an MSS Announcement?

During the three-way TCP handshake, the receiving party sends an “MSS announcement”. This announcement declares what is the maximum size of the TCP segment the receiving party can accept. MSS can be used independently in each direction of data flow.

Since the end device will not always know about high level protocols that will be added to this packet along the way, it often won’t adjust the TCP MSS value. To compensate for this, network devices have the option of rewriting the value of TCP MSS packets that are processed through them.

For example, in a Cisco Router the command ip tcp mss-adjust 1436 at the interface level will rewrite the value of the TCP MSS of any SYN packet that passes through  this interface.

GRE Tunnelling and TCP MSS in Web Application Firewalls (WAF)

WAFs commonly use GRE tunnels. To address the possibility of fragmentation, you will need to adjust the TCP MSS value.

The following diagram illustrates a WAF topology using Imperva WAF.

MTU and MSS

The customer server sends the packet with an MSS value of 1460, but in the router’s interface, MSS is adjusted to 1420. This allows the GRE packets to pass through with no segmentation.

The Imperva WAF is asymmetric – it intercepts inbound traffic, but outbound traffic is allowed to pass directly via the ISP. This means that you only need to set the MSS value on the router handling inbound traffic. There is no need to adjust MSS on the organization’s tunnel interface.

The diagram above shows how the SYN packets in the three-way handshake travel. After the three-way handshake is completed and the connection established, the end user will send packets whose data won’t exceed the 1420 bytes size. In addition the customer’s server will send packets whose data won’t exceed the default 1460 bytes.

Imperva Web Application Firewall

Imperva provides the market-leading Web Application Firewall, which prevents attacks with world-class analysis of web traffic to your applications.

In addition, Imperva’s application security offering includes several other layers of protection:

Runtime Application Self-Protection (RASP) – Real-time attack detection and prevention from your application runtime environment goes wherever your applications go. Stop external attacks and injections and reduce your vulnerability backlog.

API Security – Automated API protection ensures your API endpoints are protected as they are published, shielding your applications from exploitation.

Advanced Bot Protection – Prevent business logic attacks from all access points – websites, mobile apps and APIs. Gain seamless visibility and control over bot traffic to stop online fraud through account takeover or competitive price scraping.

DDoS Protection – Block attack traffic at the edge to ensure business continuity with guaranteed uptime and no performance impact. Secure your on premises or cloud-based assets – whether you’re hosted in AWS, Microsoft Azure, or Google Public Cloud.

Attack Analytics – Ensures complete visibility with machine learning and domain expertise across the application security stack to reveal patterns in the noise and detect application attacks, enabling you to isolate and prevent attack campaigns.

Client-Side Protection – Gain visibility and control over third-party JavaScript code to reduce the risk of supply chain fraud, prevent data breaches, and client-side attacks.