Unstable/Slow Performing Networks or VPNs? …just go grocery shopping!

Updated: Dec 1, 2019

Grocery shopping can help you remedy sluggish networks & VPNs.

Imagine you have a shopping list of items you need to get at the grocery store. You have two options:

  1. Take one trip to the grocery store and get everything you need for the week, or

  2. Take multiple trips, buying one item at a time, to achieve the same feat.

Obviously, unless you are purposefully trying to get out of the house you’d choose “#1”. But why do we so often times choose “#2” when it comes to our data transmission performance? The key metric here is #efficiency.


MTU…says “You Should Size Your Shopping Cart Appropriately So Groceries Aren’t Left Behind!”

MTU is an acronym that stands for the Maximum Transmission Unit, which is the single largest physical packet size, measured in bytes, a #network can transmit. If messages are larger than the specified MTU they are broken up into separate, smaller packets also known as packet #fragmentation, which slows the overall transmission speeds because instead of making one trip to the grocery store you are now making multiple trips to achieve the same goal. In other words, the maximum length of a data unit a protocol can send in one trip without fragmentation occurring is dictated by the #MTU value defined.


Do I Really Need to Manually Correct the MTU Value?

Again, the correct MTU value will help you select the appropriate shopping cart size in order to be the most efficient while grocery shopping so that your cart can can handle the load without spilling over requiring you to make multiple trips. "Shouldn’t I just leave the MTU at the default/automatic setting?" In general, many people think of only the network protocol #Ethernet MTU (having a theoretical maximum of 1500). However, this article primarily deals with performance problems related to #throughput, instability, and connectivity issues with the #WAN and/or #VPN. For example, in the case of VPN issues, the VPN encapsulation process naturally causes an overhead to exist. For this reason most VPNs send their transport #packets with the "Don't Fragment" (DF) option enabled, simplifying the encapsulated #TCP, thereby preventing needless re-transmission (ergo fragmentation).

Image.2: The DF bit in the IP header.

This means that the Windows MTU (for example) of the virtual interface must be smaller than the MTU of your network (Ethernet) card in order to allow "spare room" for the outer "encapsulation" portion of the packet.


The majority of VPNs comprehend this and therefore set MTU automatically/dynamically. To achieve this automatic setting, they may use methods like Path MTU (PMTU) Discovery to figure this out, and then enforce the #DF bit (flag) accordingly.


However, nothing is perfect and there are numerous scenarios where this "automatic" MTU Discovery process can fail. Here are a few examples:

  • Scenario #1 - A network layer exists not running on Ethernet (e.g. some DSL lines using ATM/PPPoE + PPPoA, "CSU/DSU serial", etc.) between the client & server, which are both running on Ethernet and one of these layers does not support PMTU.

  • Scenario #2 - Disabling #ICMP on the #Firewall can result in #PMTU failing.


Considerations

  • A larger MTU is more efficient in cases where your network link is #reliable.

  • However, a single incorrect bit in a packet or any packet loss for that matter means the entire singularly-larger packet must be sent all over again if your network link is unreliable. In this case, a lower MTU value would achieve better performance.

Image.3: MTU Optimal Value scale.

Determining the MTU Value for Your Internet Connection

Modifying the MTU values for the WAN and/or VPN interface, in some environments, can provide a tremendous performance boost (5-90%).

  • For example, many flavors of DSL such as PPPoE and PPPoA add additional layers of padding to the datagram and thereby reduce the “spare” size of the MTU. As a general rule of thumb, such DSL connections may operate more effectively at a reduced MTU of something near 1400.


How to Select the Right Shopping Cart for the Job

(Performing the MTU Packet Size Test)


METHOD #1: Manually

1. In Windows, go to Start > Run > cmd

2. Type this command: ping -f -l [buffer_size] [hostname] & press Enter on the keyboard.

e.g. ping -f -l 1500 www.google.com

Parameters Explained:

The -f switch sets the "don’t fragment flag in the packet (IPv4-only)".

The -l [buffer_size] switch indicates the "the send buffer size".

Image.4: Command Line showing "Packet needs to be fragmented but DF set" indicating the Buffer Size value is too large.

3. If you receive the message: "Packet needs to be fragmented but DF set" (with 100% packet LOSS), this means the MTU value (buffer size) was too large (see Image.4 above), then reduce the buffer size by 8 bytes (1500-8 = 1492) and repeat Step 2. Continue to reduce by 8 bytes while testing between each decrement until you receive 0% packet LOSS (see Image.5 below).


NOTE: Per RFC 791, the valid range of MTU is from 68 to 65,535 and there is no requirement that MTU be a multiple of 8. The numeric value actually represents a count of octets.

Image.5: An example of Command Line showing a successful Buffer Size value. (your Buffer Size value will vary this is only an example)

4. Once you receive successful replies with 0% packet LOSS, take the successful Buffer Size number and add it into the applicable formula below:

Non-VPN (Virtual Private Network) Environment MTU Formula

e.g. If the ping is successful (0 packet loss) at 1468 Buffer Size, the MTU will be

"1468 (Buffer Size) + 20 (IP Header) + 8 (ICMP Header)" = 1496.


1468 --Max Buffer Size from MTU Test + 28 --IP & ICMP Headers 1496 --Your Optimum MTU value


VPN Environment MTU Formula

The formula above doesn’t account for #IPSec Overhead (hence no VPN). So,

select the correlating IPSec Header according to how the VPN is configured

from the table below:


IPSec Transform Set IPSec Overhead (Max Bytes)

esp-aes-(128, 192 or 256) esp-sha-hmac or md5 73

esp-aes-(128, 192 or 256) 61

esp-des, esp-3des 45

esp-(des or 3des) esp-sha-hmac or md5 57

esp-null esp-sha-hmac or md5 45

ah-sha-hmac or md5 44


e.g. If the ping is successful (0 packet loss) at 1468 Buffer Size, the MTU will be

"1468 (Buffer Size) + 20 (IP Header) + 8 (ICMP Header) – 61 (IPSec

Overhead (ESP-AES 256))" = 1435.


1468 --Max Buffer Size from MTU Test + 28 --IP & ICMP Headers

- 61 --IPSec Overhead (ESP-AES256) 1435 --Your Optimum MTU value


5. Enter your Optimum MTU value into your Security Appliance’s WAN interface. Done!

METHOD #2: Automatically

1. Download & install this small tool: https://elifulkerson.com/projects/mturoute.php

2. Use the -t option to automate the MTU tests.

This tool even shows at which hop a reduction occurs.


METHOD #3: Contact Your ISP

1. Contact your ISP for the recommended MTU value for your cable, DSL, T1 or other

Internet connections.


Cheers!


(This article authored by Brian P was originally posted on Experts Exchange & has won multiple awards including Critics’ Choice, Editors' Choice, & Community Pick.)

If you found this article interesting or enjoyable, please click the ♥ icon to let us know!

And if you'd like us to discuss a topic we haven't covered send us a message here.

1,160 views3 comments

Blue Street Technologies is a global cybersecurity provider delivering Security-as-a-Service & protecting organizations from the most advanced current-day threats. Can you stop Ransomware, 0-Days/Unknowns, Spectre, Meltdown & Fileless malware? When you need to start winning in cyberwarfare contact us today!

 

+1-949-522-6899

COMPANY

   About Us

   Leadership

   History

   CSR

​   Press

   Careers

   Contact Us

© 2020 Blue Street Technologies. All Rights Reserved. | Privacy & Terms |

SERVICES

   Security365™

      Managed Security Services

      SECaaS (Security-as-a-Service)

   Security365 Overwatch

   Security365 Augmenter

​      Consulting

      Comprehensive Assessments

      vCISO/CISOaaS Services

      Architecture & Engineering

      Red, Purple & Blue Team Services

      Threat Hunting & Digital Forensics

      Privacy & Compliance

      Pre- & Post-Incident Response

      Cloud Security