When discussing packet sizes of a given network path, two parameters are often used: MTU or maximum transmission unit, and MSS or maximum segment size.
The maximum transmission unit is the size of the largest protocol data unit (PDU) that can be communicated in a single network layer transaction.The MTU relates to, but is not identical to the maximum frame size that can be transported on the data link layer, e.g. Ethernet frame.
Larger MTU is associated with reduced overhead. Smaller MTU values can reduce network delay. In many cases, MTU is dependent on underlying network capabilities and must be adjusted manually or automatically so as to not exceed these capabilities. MTU parameters may appear in association with a communications interface or standard. Some systems may decide MTU at connect time.
The maximum segment size is a parameter of the options field of the TCP header that specifies the largest amount of data, specified in bytes, that a computer or communications device can receive in a single TCP segment. It does not count the TCP header or the IP header (unlike the MTU for IP datagrams). The IP datagram containing a TCP segment may be self-contained within a single packet, or it may be reconstructed from several fragmented pieces; either way, the MSS limit applies to the total amount of data contained in the final, reconstructed TCP segment.
Therefore, MTU and MSS are related. For IPv4 packets, MSS = MTU - 40 (20 IP header + 20 TCP header); for IPv6 packets, MSS = MTU - 60 (40 IP header + 20 TCP header).
However, MSS is sometimes mistaken for PMTU (Path MTU). MSS is a concept used by TCP in the Transport layer and it specifies the largest amount of data that a computer or communications device can receive in a single TCP segment. While PMTU is used by the IP layer and it specifies the largest packet size that can be sent over this path without suffering fragmentation.
Avoid Fragmentation: PMTUD vs. MSS Clamping
Path MTU Discovery (PMTUD) is a standardized technique in computer networking for determining the MTU on the network path between two IP hosts, usually with the goal of avoiding IP fragmentation. PMTUD was originally intended for routers in IPv4. However, all modern operating systems use it on endpoints. In IPv6, this function has been explicitly delegated to the end points of a communications session.
For IPv4 packets, Path MTU Discovery works by setting the Don’t Fragment (DF) flag bit in the IP headers of outgoing packets. Then, any device along the path whose MTU is smaller than the packet will drop it, and send back an ICMP Fragmentation Needed (Type 3, Code 4) message containing its MTU, allowing the source host to reduce its Path MTU appropriately. The process is repeated until the MTU is small enough to traverse the entire path without fragmentation.
IPv6 routers do not support fragmentation and consequently don’t support the Don’t Fragment option. For IPv6, Path MTU Discovery works by initially assuming the path MTU is the same as the MTU on the link layer interface where the traffic originates. Then, similar to IPv4, any device along the path whose MTU is smaller than the packet will drop the packet and send back an ICMPv6 Packet Too Big (Type 2) message containing its MTU, allowing the source host to reduce its Path MTU appropriately. The process is repeated until the MTU is small enough to traverse the entire path without fragmentation.
If the Path MTU changes after the connection is set up and is lower than the previously determined Path MTU, the first large packet will cause an ICMP error and the new, lower Path MTU will be found. Conversely, if PMTUD finds that the path allows a larger MTU than is possible on the lower link, the OS will periodically reprobe to see if the path has changed and now allows larger packets. On both Linux and Windows this timer is set by default to ten minutes.
However, many network security devices block all ICMP messages for perceived security benefits, including the errors that are necessary for the proper operation of PMTUD. A workaround used by some routers is to change the maximum segment size (MSS) of all TCP connections (specifically, TCP SYN packets) passing through links with MTU lower than the Ethernet default of 1500. This is known as MSS clamping.
MSS clamping is useful when 1) ICMP messages can be blocked in the network or 2) tunneling, including GRE or IPSec, is involved in your data path. By configuring MSS clamping on the tunnel interface, it can avoid necessary fragmentation before encapsulation.