Recommended TCP/IP settings for WAN links with a MTU size of less than 576

Article translations Article translations
Article ID: 900926 - View products that this article applies to.
Expand all | Collapse all

On This Page

SUMMARY

The MS05-019 security update modifies how the operating system validates Internet Control Message Protocol (ICMP) requests. This security update prevents an ICMP-based attack. However, under special circumstances, this security update may cause the computer to lose network connectivity. This article describes three methods that you can use to help prevent the computer from losing network connectivity when the MS05-019 security update is installed.

Introduction

This article describes the recommended TCP/IP settings for wide area network (WAN) links with a Maximum Transmission Unit (MTU) size of less than 576.

MORE INFORMATION

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows


The MS05-019 security update modifies how the operating system validates Internet Control Message Protocol (ICMP) requests. This security update restricts the lowest MTU size to 576 bytes. The MTU size is restricted to prevent an ICMP-based attack. An ICMP-based attack could reduce the MTU size to very low value. A very low MTU size could cause a severe decrease in performance.

However, an MTU size that is restricted to 576 bytes may affect certain WAN scenarios, such as satellite links. In these WAN scenarios, the MTU size might be less than 576. In these WAN scenarios, network connectivity may be lost. You can use tools such as Network Monitor to detect whether you are experiencing such scenarios by analyzing a network trace. If the destinations to which the network connectivity is lost has any ICMP destination unreachable message with the next hop MTU value of less than 576, you are experiencing such scenarios.

Under these special circumstances, consider using one of the following recommendations.

Note You should not use the following recommendations if you are not experiencing one of these scenarios. The following recommendations may reduce the network throughput.

Method 1: Enable Path Maximum Transfer Unit (PMTU) black hole detection

If you enable the Path Maximum Transfer Unit (PMTU) black hole detection feature, TCP will try to send segments that do not have the Don't Fragment bit set. TCP will try to send these segments if several retransmissions of a segment go unacknowledged. If a segment is acknowledged, the maximum segment size (MSS) will be reduced and the Don't Fragment bit will be set in future packets on the connection.

This method is preferred because the packet size is lowered for only the problematic segment. Black hole detection increases the maximum number of retransmissions for a specific segment.

To enable PMTU black hole detection, follow these steps:
  1. Click Start, click Run, type regedit, and then click OK.
  2. Locate the following key in the registry:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
  3. On the Edit menu, point to New, and then click DWORD Value.
  4. Type EnablePMTUBHDetect, and then press ENTER.
  5. On the Edit menu, click Modify.
  6. In the Value data box, type 1, and then click OK.
  7. Quit Registry Editor, and then restart the computer.

Method 2: Disable PMTU Discovery

If you disable PMTU Discovery, TCP will only send packets that have an MTU size of 576 and that do not have the Don't Fragment set. This enables the routers to fragment the packet and send the packet across the networks.

This method affects packets sent to all destinations. Most of the time, the performance will be at acceptable levels with a packet size of 576. However, performance will be lower than if PMTU Discovery was enabled and the path supported an MTU size larger than 576.

To disable PMTU Discovery, follow these steps:
  1. Click Start, click Run, type regedit, and then click OK.
  2. Locate the following key in the registry:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
  3. On the Edit menu, point to New, and then click DWORD Value.
  4. Type EnablePMTUDiscovery, and then press ENTER.
  5. On the Edit menu, click Modify.
  6. In the Value data box, type 0, and then click OK.
  7. Quit Registry Editor, and then restart the computer.

Method 3: Set the MTU size for the network interface manually

If you set the MTU size for a network interface manually, this setting overrides the default MTU for the network interface. The MTU size is the maximum packet size in bytes that the transport will transmit over the underlying network.

This method affects packets sent to all destinations and may significantly affect the performance, depending on the MTU size that you set.

To set the MTU size for the network interface, follow these steps:
  1. Click Start, click Run, type regedit, and then click OK.
  2. Locate the following key in the registry:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\<ID for network interface>
  3. On the Edit menu, point to New, and then click DWORD Value.
  4. Type MTU, and then press ENTER.
  5. On the Edit menu, click Modify.
  6. In the Value data box, type the value of the MTU size, and then click OK.
  7. Quit Registry Editor, and then restart the computer.

REFERENCES

For more information, click the following article number to view the article in the Microsoft Knowledge Base:
898060 Network connectivity between clients and servers may fail after you install security update MS05-019 or Windows Server 2003 Service Pack 1

For more information about TCP/IP, visit the following Microsoft TechNet Web site:
Overview of networking and TCP/IP
http://technet.microsoft.com/en-us/library/cc739443(WS.10).aspx

Properties

Article ID: 900926 - Last Review: September 30, 2011 - Revision: 5.0
APPLIES TO
  • Microsoft Windows Server 2003, Datacenter Edition for Itanium-Based Systems
  • Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
  • Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
  • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
  • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
  • Microsoft Windows Server 2003, Datacenter x64 Edition
  • Microsoft Windows Server 2003, Enterprise x64 Edition
  • Microsoft Windows Server 2003, Standard x64 Edition
  • Microsoft Windows XP Professional
  • Microsoft Windows XP Home Edition
  • Microsoft Windows XP Tablet PC Edition
  • Microsoft Windows XP Media Center Edition 2005 Update Rollup 2
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Professional Edition
Keywords: 
kbtshoot kbprb kbsecurity kbbug KB900926

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com