Recommended TCP/IP settings for WAN links with a MTU size of less than 576 (900926)


The information in this article applies to:

  • Microsoft Windows Server 2003, Datacenter Edition for Itanium-based Systems
  • Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
  • Microsoft Windows Server 2003, Datacenter Edition
  • Microsoft Windows Server 2003, Enterprise Edition
  • Microsoft Windows Server 2003, Standard Edition
  • Microsoft Windows XP Professional 64-Bit Edition (Itanium) 2003
  • Microsoft Windows XP Professional 64-Bit Edition (Itanium)
  • Microsoft Windows XP Professional
  • Microsoft Windows XP Home Edition
  • Microsoft Windows XP Tablet PC Edition
  • Microsoft Windows XP Media Center Edition
  • Microsoft Windows 2000 Datacenter Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Professional
Important This article contains information about how to modify the registry. Make sure to back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows registry

SUMMARY

The MS05-019 security update modifies how the operating system validates Internet Control Message Protocol (ICMP) requests. This security update prevents an ICMP-based attack. However, under special circumstances, this security update may cause the computer to lose network connectivity. This article describes three methods that you can use to help prevent the computer from losing network connectivity when the MS05-019 security update is installed.

Introduction

This article describes the recommended TCP/IP settings for wide area network (WAN) links with a Maximum Transmission Unit (MTU) size of less than 576.

MORE INFORMATION

Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

The MS05-019 security update modifies how the operating system validates Internet Control Message Protocol (ICMP) requests. This security update restricts the lowest MTU size to 576 bytes. The MTU size is restricted to prevent an ICMP-based attack. An ICMP-based attack could reduce the MTU size to very low value. A very low MTU size could cause a severe decrease in performance.

However, an MTU size that is restricted to 576 bytes may affect certain WAN scenarios, such as satellite links. In these WAN scenarios, the MTU size might be less than 576. In these WAN scenarios, network connectivity may be lost. You can use tools such as Network Monitor to detect whether you are experiencing such scenarios by analyzing a network trace. If the destinations to which the network connectivity is lost has any ICMP destination unreachable message with the next hop MTU value of less than 576, you are experiencing such scenarios.

Under these special circumstances, consider using one of the following recommendations.

Note You should not use the following recommendations if you are not experiencing one of these scenarios. The following recommendations may reduce the network throughput.

Method 1: Enable Path Maximum Transfer Unit (PMTU) black hole detection

If you enable the Path Maximum Transfer Unit (PMTU) black hole detection feature, TCP will try to send segments that do not have the Don't Fragment bit set. TCP will try to send these segments if several retransmissions of a segment go unacknowledged. If a segment is acknowledged, the maximum segment size (MSS) will be reduced and the Don't Fragment bit will be set in future packets on the connection.

This method is preferred because the packet size is lowered for only the problematic segment. Black hole detection increases the maximum number of retransmissions for a specific segment.

To enable PMTU black hole detection, follow these steps:
  1. Click Start, click Run, type regedit, and then click OK.
  2. Locate the following key in the registry:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

  3. On the Edit menu, point to New, and then click DWORD Value.
  4. Type EnablePMTUBHDetect, and then press ENTER.
  5. On the Edit menu, click Modify.
  6. In the Value data box, type 1, and then click OK.
  7. Quit Registry Editor, and then restart the computer.

Method 2: Disable PMTU Discovery

If you disable PMTU Discovery, TCP will only send packets that have an MTU size of 576 and that do not have the Don't Fragment set. This enables the routers to fragment the packet and send the packet across the networks.

This method affects packets sent to all destinations. Most of the time, the performance will be at acceptable levels with a packet size of 576. However, performance will be lower than if PMTU Discovery was enabled and the path supported an MTU size larger than 576.

To disable PMTU Discovery, follow these steps:
  1. Click Start, click Run, type regedit, and then click OK.
  2. Locate the following key in the registry:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

  3. On the Edit menu, point to New, and then click DWORD Value.
  4. Type EnablePMTUDiscovery, and then press ENTER.
  5. On the Edit menu, click Modify.
  6. In the Value data box, type 0, and then click OK.
  7. Quit Registry Editor, and then restart the computer.

Method 3: Set the MTU size for the network interface manually

If you set the MTU size for a network interface manually, this setting overrides the default MTU for the network interface. The MTU size is the maximum packet size in bytes that the transport will transmit over the underlying network.

This method affects packets sent to all destinations and may significantly affect the performance, depending on the MTU size that you set.

To set the MTU size for the network interface, follow these steps:
  1. Click Start, click Run, type regedit, and then click OK.
  2. Locate the following key in the registry:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\<ID for network interface>

  3. On the Edit menu, point to New, and then click DWORD Value.
  4. Type MTU, and then press ENTER.
  5. On the Edit menu, click Modify.
  6. In the Value data box, type the value of the MTU size, and then click OK.
  7. Quit Registry Editor, and then restart the computer.

REFERENCES

For more information about TCP/IP, visit the following Microsoft TechNet Web site:

Overview of networking and TCP/IP
http://technet2.microsoft.com/windowsserver/en/library/be2b68c1-a279-417b-976a-16601b98447a1033.mspx

Modification Type:MajorLast Reviewed:2/25/2006
Keywords:kbtshoot kbprb kbSecurity kbBug kbmsccsearch kbpubtypekc KB900926 kbAudITPRO kbAudDeveloper
©2004 Microsoft Corporation. All rights reserved.