RE: RE: VPN & PPPoE

["dave" <dave () netmedic net>]

Yes, it does support discovery.

http://groups.google.com/groups?q=enablepmtubhdetect&hl=en&lr=&ie=UTF-8&selm
=8e7f01c2794c%241f58bda0%242ae2c90a%40phx.gbl&rnum=8

 

Dave Kleiman
dave () netmedic net
www.netmedic.net

 


-----Original Message-----
From: Mark Reardon [mailto:riscorp () mindspring com] 
Sent: Friday, January 24, 2003 10:48
To: Paul Gaskin; 'security-basics () securityfocus com'
Subject: Re: RE: VPN & PPPoE

I don't know if Windows supports MTU discovery but I recommend looking at
Microsoft.com (I tried but my workstation keeps locking up when I do).

MTU discovery sends out the first packet of a connection using the maximum
size and the DF (don't fragment) bit set. If a network device needs to
forward the packet through a link with a too small MTU, it should send back
an ICMP packet stating that fragmenetation is required but the DF bit is
set. It should also include the MTU value it will accept. 

The originator then retries with a smaller packet (using the provided MTU).
This continues until the packet is acknowledged.
For the rest of this connections life, the MTU is maintained so
fragmentation doesn't occur.

The draw backs are that your perimeter needs to allow inbound ICMP packets
of this type, your initial data is slow, and some network devices don't send
the proper MTU to get through (they have a bug or are old).

Once you have the MTU to get to a major location, you can me confident it is
the MTU allowed to get over your end. Most major locations can accept very
large packets (at least 1500). Set that to your MTU and turn off discovery.

I hope this helps,

Mark
-------Original Message-------
From: Paul Gaskin <paul () midwesttechnologies com>
Sent: 01/21/03 10:26 AM
To: "'Keith T. Morgan'" <keith.morgan () terradon com>
Subject: RE: VPN & PPPoE

> Is there a sure fire way to come up with a good MTU speed? 
We used one in the Microsoft Knowledge Base. and came up with an MTU of
1366
and this didn't seem to do the trick. 
Also, We had a concern with setting the MTU really low. How is this going
to
effect the way other files get transferred?
Will setting the MTU lower effect the speed of the DSL (surfing the web,
downloading files)?

Thanks 

Paul





-----Original Message-----
From: Keith T. Morgan [mailto:keith.morgan () terradon com]
Sent: Tuesday, January 21, 2003 9:15 AM
To: Paul Gaskin; security-basics () securityfocus com
Subject: RE: VPN & PPPoE


We had to deal with this very issue using IPSEC via Free S/Wan on linux.
The solution was to kick the interface (pppoe facing) MTU down to the 1280
range.  This was after some experimentation.  Play around with the MTU and
you should be able to get it to work.  If you have a sniffer handy on the
client machine, watch to see how much fragmentation is occuring on the
interface.  Lots of fragmentation seemed to break IPSEC for us.

-----Original Message-----
From: Paul Gaskin [mailto:paul () midwesttechnologies com]
Sent: Friday, January 17, 2003 4:29 PM
To: 'security-basics () securityfocus com'
Subject: VPN & PPPoE


I am new to the list and I'm not sure if this even falls into this
category
but I'm getting desperate!

We have set up a VPN and it seems to work fine everyone can log on and
move
around the network and send and receive email. 

One person though... on a DSL using PPPoE can not send e-mail. we have
tried
everything... has anyone run into this problem? 

the user is on a Windows XP laptop connected to a Linksys wireless router
(Using PPPoE). and Outlook for E-mail. 

Any help would be greatly appreciated 

Thanks in advance 

Paul 
>

----
Mark Reardon
Reardon Information Security Corporation
156 Blue Sky Drive
Marietta, GA 30068
(770) 565-0544
(404) 444-0041 cell