Disabling IP unreachables breaks pMTUd
A while ago someone sent me an interesting problem: the moment he enabled simple MPLS in his enterprise network with ip mpls interface configuration commands, numerous web applications stopped working. My first thought was “MTU problems” (the usual culprit), but path MTU discovery should have taken care of that.
As it turned out, reduced MTU caused by the MPLS header was the problem, but the usual suspect (a sloppily-configured firewall) was not to blame. Following (possibly outdated) best practices found on the Internet someone configured no ip unreachables on most router interfaces. Fragmentation needed ICMP packets were considered to belong to the same bunch and thus the edge routers quietly dropped the packets they could not send into the MPLS core.
Tangential notes
- You’ll find more information on Path MTU Discovery in my IP Corner article.
- The web servers should have discovered that the path MTU discovery (pMTUd) had been broken, but obviously the operating system they were using didn’t support RFC 4821 (Packetization Layer Path MTU Discovery).
- One of the reasons one might have had to disable IP unreachables in the past was to protect the router’s control plane. ICMP packets are usually generated by the router’s CPU; before you could rate-limit them it’s been quite easy to overwhelm a router with packets triggering ICMP replies. With the ip icmp rate-limit unreachables command you can set different limits for fragmentation needed packets and other unreachables.
3 comments: