[personal profile] mjg59
We have a cabin out in the forest, and when I say "out in the forest" I mean "in a national forest subject to regulation by the US Forest Service" which means there's an extremely thick book describing the things we're allowed to do and (somewhat longer) not allowed to do. It's also down in the bottom of a valley surrounded by tall trees (the whole "forest" bit). There used to be AT&T copper but all that infrastructure burned down in a big fire back in 2021 and AT&T no longer supply new copper links, and Starlink isn't viable because of the whole "bottom of a valley surrounded by tall trees" thing along with regulations that prohibit us from putting up a big pole with a dish on top. Thankfully there's LTE towers nearby, so I'm simply using cellular data. Unfortunately my provider rate limits connections to video streaming services in order to push them down to roughly SD resolution. The easy workaround is just to VPN back to somewhere else, which in my case is just a Wireguard link back to San Francisco.

This worked perfectly for most things, but some streaming services simply wouldn't work at all. Attempting to load the video would just spin forever. Running tcpdump at the local end of the VPN endpoint showed a connection being established, some packets being exchanged, and then… nothing. The remote service appeared to just stop sending packets. Tcpdumping the remote end of the VPN showed the same thing. It wasn't until I looked at the traffic on the VPN endpoint's external interface that things began to become clear.

This probably needs some background. Most network infrastructure has a maximum allowable packet size, which is referred to as the Maximum Transmission Unit or MTU. For ethernet this defaults to 1500 bytes, and these days most links are able to handle packets of at least this size, so it's pretty typical to just assume that you'll be able to send a 1500 byte packet. But what's important to remember is that that doesn't mean you have 1500 bytes of packet payload - that 1500 bytes includes whatever protocol level headers are on there. For TCP/IP you're typically looking at spending around 40 bytes on the headers, leaving somewhere around 1460 bytes of usable payload. And if you're using a VPN, things get annoying. In this case the original packet becomes the payload of a new packet, which means it needs another set of TCP (or UDP) and IP headers, and probably also some VPN header. This still all needs to fit inside the MTU of the link the VPN packet is being sent over, so if the MTU of that is 1500, the effective MTU of the VPN interface has to be lower. For Wireguard, this works out to an effective MTU of 1420 bytes. That means simply sending a 1500 byte packet over a Wireguard (or any other VPN) link won't work - adding the additional headers gives you a total packet size of over 1500 bytes, and that won't fit into the underlying link's MTU of 1500.

And yet, things work. But how? Faced with a packet that's too big to fit into a link, there are two choices - break the packet up into multiple smaller packets ("fragmentation") or tell whoever's sending the packet to send smaller packets. Fragmentation seems like the obvious answer, so I'd encourage you to read Valerie Aurora's article on how fragmentation is more complicated than you think. tl;dr - if you can avoid fragmentation then you're going to have a better life. You can explicitly indicate that you don't want your packets to be fragmented by setting the Don't Fragment bit in your IP header, and then when your packet hits a link where your packet exceeds the link MTU it'll send back a packet telling the remote that it's too big, what the actual MTU is, and the remote will resend a smaller packet. This avoids all the hassle of handling fragments in exchange for the cost of a retransmit the first time the MTU is exceeded. It also typically works these days, which wasn't always the case - people had a nasty habit of dropping the ICMP packets telling the remote that the packet was too big, which broke everything.

What I saw when I tcpdumped on the remote VPN endpoint's external interface was that the connection was getting established, and then a 1500 byte packet would arrive (this is kind of the behaviour you'd expect for video - the connection handshaking involves a bunch of relatively small packets, and then once you start sending the video stream itself you start sending packets that are as large as possible in order to minimise overhead). This 1500 byte packet wouldn't fit down the Wireguard link, so the endpoint sent back an ICMP packet to the remote telling it to send smaller packets. The remote should then have sent a new, smaller packet - instead, about a second after sending the first 1500 byte packet, it sent that same 1500 byte packet. This is consistent with it ignoring the ICMP notification and just behaving as if the packet had been dropped.

All the services that were failing were failing in identical ways, and all were using Fastly as their CDN. I complained about this on social media and then somehow ended up in contact with the engineering team responsible for this sort of thing - I sent them a packet dump of the failure, they were able to reproduce it, and it got fixed. Hurray!

(Between me identifying the problem and it getting fixed I was able to work around it. The TCP header includes a Maximum Segment Size (MSS) field, which indicates the maximum size of the payload for this connection. iptables allows you to rewrite this, so on the VPN endpoint I simply rewrote the MSS to be small enough that the packets would fit inside the Wireguard MTU. This isn't a complete fix since it's done at the TCP level rather than the IP level - so any large UDP packets would still end up breaking)

I've no idea what the underlying issue was, and at the client end the failure was entirely opaque: the remote simply stopped sending me packets. The only reason I was able to debug this at all was because I controlled the other end of the VPN as well, and even then I wouldn't have been able to do anything about it other than being in the fortuitous situation of someone able to do something about it seeing my post. How many people go through their lives dealing with things just being broken and having no idea why, and how do we fix that?

(Edit: thanks to this comment, it sounds like the underlying issue was a kernel bug that Fastly developed a fix for - under certain configurations, the kernel fails to associate the MTU update with the egress interface and so it continues sending overly large packets)

Date: 2024-02-20 01:53 am (UTC)
sweh: (Default)
From: [personal profile] sweh
I sometimes wonder if providers deliberately ignore MTU stuff like this to be a simple block for VPNs; "if you can't handle 1500 byte packets then you're trying to access location blocked content"

Date: 2024-02-20 03:01 am (UTC)
rbarclay: (Default)
From: [personal profile] rbarclay
Uh, one of the first common steps in debugging VPN problems is to set MTU=1300. Has been for over 20 years - googling "doesn't work over VPN" has this 4 times on the first page (for me, with my Google history).
Edited Date: 2024-02-20 03:03 am (UTC)

Date: 2024-02-21 01:43 am (UTC)
sweh: (Default)
From: [personal profile] sweh
Oh definitely; in your case it's likely a misconfig at a 3rd party (Fastly). It just made me wonder if some streaming providers might do it deliberately.

Date: 2024-02-21 03:25 am (UTC)
sweh: (Default)
From: [personal profile] sweh
"Networking is hard, let's go shopping"

Date: 2024-03-12 06:19 am (UTC)
From: (Anonymous)
There are lots, lots of links which don't have MTU 1500.
I'd even say that most on the time on non-wired connection you'll get less than 1500 on the link itself, not including PPPoE or other incapsulation protocol overhead.

Date: 2024-02-20 03:34 am (UTC)
secretagentmoof: (Default)
From: [personal profile] secretagentmoof
Could be DF set, could be "accidentally ignoring *all* ICMP", could be a bunch of other things. Pretty much whenever I'm dealing with non-{Ethernet,WiFi} media, I drop the MTU down whether I need to or not.

Path MTU discovery failure

Date: 2024-02-20 06:12 am (UTC)
From: (Anonymous)
Some kind of Path MTU Discovery failure. Usually ICMP is blocked, but just as common is that the ICMP packet comes from an incorrect (ISP internal) IP, and then gets dropped. This can happen due to NAT-ing or MPLS, or such. This used to be much more common 20 years ago, but it definitely still happens.

OpenVPN has a mtu-test option that can sometimes help with this, I don't know if Wireguard has something similar.

Date: 2024-02-20 03:47 pm (UTC)
From: (Anonymous)
Here's the fix: https://lore.kernel.org/netdev/[email protected]/T/

Date: 2024-02-20 08:14 pm (UTC)
From: (Anonymous)

There used to be AT&T copper but all that infrastructure burned down in a big fire back in 2021 and AT&T no longer supply new copper links,

I'm fairly certain they can't just say no to you. They have a legal commitment via the PUC to provide POTS via copper circuit as the carrier of last resort.

All of the technical things aside, I'd go ahead and file both a PUC and an FCC complaint. You are welcome to pad it out as needed with how you are not able to make 911 calls, you are unable to use a an adaptive terminal for the deaf and also that telephone connected medical devices don't work.

Date: 2024-02-21 08:43 am (UTC)
From: (Anonymous)
This is very smart and all, but was that LTE carrier trying to limit video bandwidth for a reason? I get nervous about trying to bypass ISP traffic shaping: they might have limited capacity that's needed by other customers. So if I wanted to watch video at more than SD over a link that only lets me download at SD, I'd be old-fashioned and start it downloading in non real time to watch later (tools like yt-dlp should be able to do this).

It's a pity that it's also hard to contact someone at the ISP who actually knows what they're talking about (rather than just being paid to fob off queries): a quick phone call along the lines of "hey, I'm in Somewhere Forest and I think I'm probably the only serious user of that tower, but I'm not sure, so would you mind terribly much if I bypass the traffic shaping for this movie" would be nice if it were possible.

things just broken

Date: 2024-02-21 12:15 pm (UTC)
From: (Anonymous)
Re "How many people go through their lives dealing with things just being broken and having no idea why, and how do we fix that?", as far as the networking part goes, better simpler tools help.

Back in the Win95 days there used to be lots of small freeware tools available that checked number of hops, packet size, etc and told the user in simple terms what it found. Sometimes they helped with solutions.

Unfortunately, lots of other things are broken but that is often because of shoddy workmanship and low standards. Better standards and regulation might help. I am thinking about a router with no firmware updates...

Nice work!

Date: 2024-02-21 07:10 pm (UTC)
From: [personal profile] gnoutchd

That's so cool that you got Fastly to fix this! Was this IPv4 or IPv6?

I stumbled into this exact problem in mid-2019, and my Googling lead to https://tools.ietf.org/html/draft-jaeggli-v6ops-pmtud-ecmp-problem-00, co-authored by someone from Fastly, in which they said that for IPv4, "the relative rarity of sub-1500 byte MTUs [...] makes the problem sufficiently rare that some deployments simply choose to ignore it". After seeing that I assumed we'd have to apply the MSS workaround forever ...

Thanks for this post.

Date: 2024-03-06 02:49 pm (UTC)
From: (Anonymous)
I had a problem connecting to some meetings in Teams. After reading this post I wondered if an MTU issue was causing my problem. I haven't fully tested things, but it tentatively looks like the MSS hack fixes the issue. I don't know why this would have been a problem with only some meetings though.

Profile

Matthew Garrett

About Matthew

Power management, mobile and firmware developer on Linux. Security developer at Aurora. Ex-biologist. [personal profile] mjg59 on Twitter. Content here should not be interpreted as the opinion of my employer. Also on Mastodon.

Page Summary

Expand Cut Tags

No cut tags