Junos OS

Expand all | Collapse all

Do i need to inrease MTU due to SSL Handshake?

  • 1.  Do i need to inrease MTU due to SSL Handshake?

    Posted 11-26-2020 04:36
    Hi all,


    I have similar issue like this url 

    https://networkdirection.net/https-fragmentation-and-mtu/

    How MTU and MSS Affect You Network | Network Direction
    Network Direction remove preview
    How MTU and MSS Affect You Network | Network Direction
    The MTU, or 'Maximum Transmission Unit', is the largest block of data that can be handled at layer-3 of the OSI model. This is usually IP, so the MTU usually refers to the maximum size a packet can be. The limit at layer-3 comes directly from layer-2.
    View this on Network Direction >


    So my question instead i'm icrease the MTU along the way to upstream is it enough if i just configure knob "tcp-mss" under ebgp group? Please take note it not involve any VPN.

    Thanks and appreciate any feedback



  • 2.  RE: Do i need to inrease MTU due to SSL Handshake?

    Posted 11-27-2020 03:46
    Sorry, too little time to reply properly, but please be aware that MTU means two things, L2 MTU and L3 MTU or IP MTU. Too often even vendors (I shall not name thee, Juniper...oops I did, but you're not the only one!) mix them up. I have seen things like Ethernet MTU 1500 in switches where 1514 or 1518 would have been more appropriate. An IP packet (often max size 1500) needs to be able to fit in an Ethernet frame (1514 bytes if untagged, add 4 bytes for each 802.1Q tag). Ethernet/L2 MTU for physical interfaces can always(?) be set to max size (9216 in most Juniper gear) without problem. It just means that we allow the switch to pass those big chunks of data if they ever come along. If you mess with the MTU of an IRB or RVI (L3 interface), then you need to think twice about fragmentation and stuff. My advice is to make sure you know the difference between L2 and L3 MTU before you dig further.

    Hope this helps!

    /Fredrik


  • 3.  RE: Do i need to inrease MTU due to SSL Handshake?

    Posted 11-27-2020 08:46
    Hi,


    Do u know whether the https or SSL traffic should be fragmented or not?

    Thanks


  • 4.  RE: Do i need to inrease MTU due to SSL Handshake?

    Posted 11-27-2020 09:02
    In general, HTTPS and SSL doesn't care if it's fragmented or not. End systems and firewalls can object, but I'd consider that a bad policy. "Should" be fragmented? Yes, if HTTPS or SSL packets are bigger than the IP/L3 MTU, whatever that is (often 1500).

    If your hosts have an MTU of 1500, no fragmentation should occur except if packets pass a link with an MTU that won't allow 1500 byte IP packets.


  • 5.  RE: Do i need to inrease MTU due to SSL Handshake?

    Posted 11-27-2020 09:35
    Hi,

    Lets say if i'm configure knob "tcp-mss 1460" under ebgp. Is it the traffic SSL will priority using that 1460 instead using MTU on interface?


    Thanks and appreciate your feedback