Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

Recommended TCP/IP settings for WAN links with a MTU size of less than 576


View products that this article applies to.

Summary

The MS05-019 security update modifies how the operating system validates Internet Control Message Protocol (ICMP) requests. This security update prevents an ICMP-based attack. However, under special circumstances, this security update may cause the computer to lose network connectivity. This article describes three methods that you can use to help prevent the computer from losing network connectivity when the MS05-019 security update is installed.

↑ Back to the top


Introduction

This article describes the recommended TCP/IP settings for wide area network (WAN) links with a Maximum Transmission Unit (MTU) size of less than 576.

↑ Back to the top


More Information

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows


The MS05-019 security update modifies how the operating system validates Internet Control Message Protocol (ICMP) requests. This security update restricts the lowest MTU size to 576 bytes. The MTU size is restricted to prevent an ICMP-based attack. An ICMP-based attack could reduce the MTU size to very low value. A very low MTU size could cause a severe decrease in performance.

However, an MTU size that is restricted to 576 bytes may affect certain WAN scenarios, such as satellite links. In these WAN scenarios, the MTU size might be less than 576. In these WAN scenarios, network connectivity may be lost. You can use tools such as Network Monitor to detect whether you are experiencing such scenarios by analyzing a network trace. If the destinations to which the network connectivity is lost has any ICMP destination unreachable message with the next hop MTU value of less than 576, you are experiencing such scenarios.



Under these special circumstances, consider using one of the following recommendations.

Note You should not use the following recommendations if you are not experiencing one of these scenarios. The following recommendations may reduce the network throughput.

Method 1: Enable Path Maximum Transfer Unit (PMTU) black hole detection

If you enable the Path Maximum Transfer Unit (PMTU) black hole detection feature, TCP will try to send segments that do not have the Don't Fragment bit set. TCP will try to send these segments if several retransmissions of a segment go unacknowledged. If a segment is acknowledged, the maximum segment size (MSS) will be reduced and the Don't Fragment bit will be set in future packets on the connection.



This method is preferred because the packet size is lowered for only the problematic segment. Black hole detection increases the maximum number of retransmissions for a specific segment.

To enable PMTU black hole detection, follow these steps:
  1. Click Start, click Run, type regedit, and then click OK.
  2. Locate the following key in the registry:



    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

  3. On the Edit menu, point to New, and then click DWORD Value.
  4. Type EnablePMTUBHDetect, and then press ENTER.
  5. On the Edit menu, click Modify.
  6. In the Value data box, type 1, and then click OK.
  7. Quit Registry Editor, and then restart the computer.

Method 2: Disable PMTU Discovery

If you disable PMTU Discovery, TCP will only send packets that have an MTU size of 576 and that do not have the Don't Fragment set. This enables the routers to fragment the packet and send the packet across the networks.



This method affects packets sent to all destinations. Most of the time, the performance will be at acceptable levels with a packet size of 576. However, performance will be lower than if PMTU Discovery was enabled and the path supported an MTU size larger than 576.


To disable PMTU Discovery, follow these steps:
  1. Click Start, click Run, type regedit, and then click OK.
  2. Locate the following key in the registry:



    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
  3. On the Edit menu, point to New, and then click DWORD Value.
  4. Type EnablePMTUDiscovery, and then press ENTER.
  5. On the Edit menu, click Modify.
  6. In the Value data box, type 0, and then click OK.
  7. Quit Registry Editor, and then restart the computer.

Method 3: Set the MTU size for the network interface manually

If you set the MTU size for a network interface manually, this setting overrides the default MTU for the network interface. The MTU size is the maximum packet size in bytes that the transport will transmit over the underlying network.



This method affects packets sent to all destinations and may significantly affect the performance, depending on the MTU size that you set.


To set the MTU size for the network interface, follow these steps:
  1. Click Start, click Run, type regedit, and then click OK.
  2. Locate the following key in the registry:



    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\<ID for network interface>
  3. On the Edit menu, point to New, and then click DWORD Value.
  4. Type MTU, and then press ENTER.
  5. On the Edit menu, click Modify.
  6. In the Value data box, type the value of the MTU size, and then click OK.
  7. Quit Registry Editor, and then restart the computer.

↑ Back to the top


References

For more information, click the following article number to view the article in the Microsoft Knowledge Base:

898060 Network connectivity between clients and servers may fail after you install security update MS05-019 or Windows Server 2003 Service Pack 1


For more information about TCP/IP, visit the following Microsoft TechNet Web site:

↑ Back to the top


Keywords: kbpubtypepublic, kbmustloc, kblangall, kbtshoot, kbprb, kbsecurity, kbbug, kbpubtypekc, kb

↑ Back to the top

Article Info
Article ID : 900926
Revision : 4
Created on : 4/17/2018
Published on : 4/17/2018
Exists online : False
Views : 368