Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Configuring TCP for IP

    IP supports TCP configuration. You use the same commands to configure TCP on IP as you do to configure TCP on IPv6. This topic describes the following tasks:

    Defining TCP Maximum Segment Size for IP

    You can modify the maximum segment size (MSS) for TCP sessions using the ip tcp adjust-mss command.

    When defined, the router modifies the MSS for TCP SYN packets traveling through the interface. The router compares the MSS value of incoming or outgoing packets against the adjusted MSS setting and replaces smaller values that it detects in any packets with the larger setting. If the packet does not contain an MSS value, the router assumes a value of 536 for the packet MSS on which to base the comparison.

    Note:

    • Implementation of the MSS value is identical for both ingress and egress interface traffic. That is, the router uses the same MSS value when adjusting inbound or outbound TCP traffic.
    • The purpose behind using MSS is to alleviate problems with path maximum transmission unit discovery (PMTUD) and resulting black hole detection issues. (See RFC 2923, “ TCP Problems with Path MTU Discovery,” for additional information about the black hole scenario.)
    • Before you configure IP, you must create the lower-layer interfaces over which IP traffic flows.
    • All IP configurations will be removed from the interface when you issue the no ip interface command in Interface Configuration mode.

    To modify the MSS for TCP SYN packets:

    • Issue the ip tcp adjust-mss command in Interface Configuration mode.
      host1(config-if)#ip tcp adjust-mss 1000

      Use the no version to remove the MSS assignment from the interface.

    Setting MSS for TCP Connections for IP

    MSS is used by TCP to define the maximum amount of data that a TCP interface can accept in any single packet (or segment size). The MSS value is typically negotiated during connection establishment and is not renegotiated.

    By default, the router uses an MSS value of 536 bytes and the advertised MSS is derived from the MTU of the transmitting interface. However, you can use the tcp mss command to set the MSS for TCP advertisements.

    You can use the vrfName variable to specify a VRF to which you want to assign the TCP MSS value.

    Note: The MSS value is equal to the MTU value minus the IP and TCP headers, so the MSS value is generally 40 bytes less than the MTU.

    To specify the MSS value for TCP to advertise:

    • Issue the tcp mss command in Interface Configuration mode.
      host1(config-if)#tcp mss 1000

      Use the no version to remove the MSS value so that the router uses the advertised MSS derived from the MTU of the output interface.

    Configuring TCP PMTU Discovery for IP

    IP hosts transmit large amounts of data to other hosts using a series of IP datagrams. To best use resources, increase performance, and avoid difficult reassembly, hosts try to send datagrams that are as large as possible without requiring fragmentation anywhere along the path from the source to the destination. This datagram size is referred to as the path MTU (PMTU), and it is equal to the smallest MTU for each hop in the path.

    Path MTU discovery is the process of discovering the path MTU value and using that value when transmitting TCP packets in datagrams.

    Enabling TCP PMTU Discovery

    You can enable PMTU discovery on the active virtual router using the tcp path-mtu-discovery command.

    You can use the age-timer keyword to set the time (minutes) that TCP waits before attempting to increase the path MTU after receiving an ICMP Too Big message or after previously increasing the PMTU successfully (minutes2). The range of these two timers is 1–30 minutes. The timer defaults to 10 minutes.

    You can use the age-timer indefinite keyword with the tcp path-mtu-discovery command to disable PMTU aging functions.

    To enable and configure PMTU discovery on the virtual router:

    • Issue the tcp path-mtu-discovery command in Global Configuration mode.
      host1:VR1(config)#tcp path-mtu-discovery

    To configure PMTU age timers:

    • Set path MTU discovery age timers differently.
      host1:VR1(config)#tcp path-mtu-discovery age-timer 20 15
    • Set path MTU discovery age timers to the same value (5 minutes).
      host1:VR1(config)#tcp path-mtu-discovery age-timer 5
    • Disable path MTU discovery age timers.
      host1:VR1(config)#tcp path-mtu-discovery age-timer indefinite

    Use the no version with a keyword to return the values to their defaults. Use the no version without any keywords to disable path MTU discovery on the virtual router.

    Limiting TCP PMTU Discovery Values

    You can limit calculated PMTU values within a range by using the tcp path-mtu-discovery command with the max-mtu and min-mtu keywords.

    Note: When specifying PMTU limits, keep the following in mind:

    • If a PMTU discovery value is lower than the configured minimum MTU setting, PMTU discovery is disabled for that connection.
    • If a PMTU discovery value is larger than the configured maximum MTU setting, the configured maximum MTU setting is used.
    • The maximum MTU setting must be greater than the minimum MTU setting.

    To limit the maximum MTU size used for the PMTU:

    • Issue the tcp path-mtu-discovery command with the max-mtu keyword in Global Configuration mode.
      host1:VR1(config)#tcp path-mtu-discovery max-mtu 512

    To specify the minimum MTU value used for the PMTU:

    • Issue the tcp path-mtu-discovery command with the min-mtu keyword in Global Configuration mode.
      host1:VR1(config)#tcp path-mtu-discovery min-mtu 255

    Use the no version to remove any limitation so that the virtual router uses the discovered path MTU value.

    Configuring Black Hole Thresholds for TCP PMTU

    Some domains might be configured not to generate certain ICMP messages (like an ICMP destination unreachable message) or to filter all ICMP messages. Under these conditions, the source of oversized ICMP packets never learns that it is sending oversized packets. The device continues sending oversized packets that never get through. This behavior is often referred to as a black hole.

    A black hole threshold is a limit to the number of times a virtual router can retransmit identical sequences of datagrams before the retransmissions are identified as a problem.

    To specify the number of permitted retransmissions before the retransmissions are determined to be a problem:

    • Issue the tcp path-mtu-discovery command with the black-hole-detect-threshold keyword in Global Configuration mode.
      host1:VR1(config)#tcp path-mtu-discovery black-hole-detect-threshold 200

      Use the no version to disable black hole threshold detection.

    Protecting Against TCP RST or SYN DoS Attacks

    You can use the tcp ack-rst-and-syn command to help protect the router from DoS attacks.

    Normally, when it receives an RST or SYN message for an existing connection, TCP attempts to shut down the TCP connection. This action is expected under normal conditions, but someone maliciously generating otherwise valid RST or SYN messages can cause problems for network applications and the network as a whole.

    When you enable the tcp ack-rst-and-syn command, the router challenges any RST or SYN messages that it receives by sending an ACK message back to the expected source of the message. The source reacts in one of the following ways:

    • If the source did send the RST or SYN message, it recognizes the ACK message to be spurious and resends another RST or SYN message. The second RST or SYN message causes the router to shut down the connection.
    • If the source did not send the RST or SYN message, the source accepts the ACK message as part of an existing connection. As a result, the source does not send another RST or SYN message and the router does not shut down the connection.

      Note: Enabling this command slightly modifies the way TCP processes RST or SYN messages to ensure that they are genuine.

    To help protect the router from TCP RST and SYN DoS attacks:

    • Issue the tcp ack-rst-and-syn command in Global Configuration mode.
      host1(config)#tcp ack-rst-and-syn

      Use the no version to disable this protection (the default mode).

    Preventing TCP PAWS Timestamp DoS Attacks

    The TCP PAWS number option works by including the TCP timestamp option in all TCP headers to help validate the packet sequence number.

    Normally, in PAWS packets that have the timestamps option enabled, hosts use an internal timer to compare the value of the timestamp associated with incoming segments against the last valid timestamp the host recorded. If the segment timestamp is larger than the value of the last valid timestamp, and the sequence number is less than the last acknowledgement sent, the host updates its internal timer with the new timestamp and passes the segment on for further processing.

    If the host detects a segment timestamp that is smaller than the value of the last valid timestamp or the sequence number is greater than the last acknowledgement sent, the host rejects the segment.

    A remote attacker can potentially determine the source and destination ports and IP addresses of both hosts that are engaged in an active connection. With this information, the attacker might be able to inject a specially crafted segment into the connection that contains a fabricated timestamp value. When the host receives this fabricated timestamp, it changes its internal timer value to match. If this timestamp value is larger than subsequent timestamp values from valid incoming segments, the host determines the incoming segments as being too old and discards them. The flow of data between hosts eventually stops, resulting in a denial of service condition.

    Note: Disabling PAWS does not disable other processing related to the TCP timestamp option. This means that even though you disable PAWS, a fabricated timestamp that already exists in the network can still pollute the database and result in a successful DoS attack. Enabling PAWS resets the saved timestamp state for all connections in the virtual router and stops any existing attack.

    To disable the PAWS number option in TCP segments:

    • Issue the tcp paws-disable command in Global Configuration mode.
      host1(config)#tcp paws-disable

      You can specify a VRF context for which you want PAWS disabled. You can use the no version to restore PAWS processing (the default mode).

    Protecting Against TCP Out-of-Order DoS Attacks

    You can use the group of tcp resequence-buffers commands to help protect the router from TCP out-of-order packet DoS attacks.

    TCP guarantees that applications receive data in order. This means that TCP buffers any out-of-order packets it receives until ordered delivery can occur.

    To prevent connections from consuming too many resources, TCP limits the amount of data it accepts to the number of data bytes that the receiver is willing to receive and buffer. TCP does not take into account the buffering scheme that the receiver uses. If the receiver uses a fixed-size receive buffer (that is, buffering all packets) regardless of length, a packet that contains only one data byte might consume many data bytes of buffer space, but only one byte of TCP space.

    Under these conditions, an attacker can send a large number of 1-byte packets to an E Series router in which each packet is buffered, consuming an entire packet buffer and eventually consuming a large amount of resources.

    To defend against this sort of attack, you can set defaults and limits on the number of outstanding buffers on reordering queues. You can configure these defaults and limits on a per-router, per-virtual router, or per-connection within the virtual router basis.

    You can protect the router from TCP out-of-order packet DoS attacks with the following tasks:

    Limiting TCP Resequence Buffers per Router

    To limit the number of outstanding buffers on the entire router:

    • Issue the tcp resequence-buffers global-maximum command in Global Configuration mode.
      host1(config)#tcp resequence-buffers global-maximum

      You can specify a value of zero (0) to turn off the limit. You can use the no version to revert the global maximum buffer value to its default, 1000 buffers.

    Limiting TCP Resequence Buffers per Virtual Router

    You can limit the number of outstanding buffers on existing or newly established virtual routers using the tcp resequence-buffers vr-maximum command and tcp resequence-buffers default-vr-maximum commands.

    To specify the default buffer limit assigned to all virtual routers when the virtual router is established:

    • Issue the tcp resequence-buffers default-vr-maximum command in Global Configuration mode.
      host1(config)#tcp resequence-buffers default-vr-maximum 200

      You can specify a value of zero (0) to turn off the limit assignment. You can use the no version to revert the virtual router maximum value to its default, 100 buffers.

    To define the maximum number of buffers that the current or specified virtual router can use:

    • Issue the tcp resequence-buffers vr-maximum command in Global Configuration mode.
      host1(config)#tcp resequence-buffers vr-maximum

      You can specify a value of zero (0) to turn off the limit assignment. You can use the no version to revert the virtual router maximum value to its default, 100 buffers.

    Limiting TCP Resequence Buffers per Connection

    You can limit the number of outstanding buffers on existing or newly established connections using the tcp resequence-buffers connection-maximum command and tcp resequence-buffers default-connection-maximum commands.

    To define the maximum number of buffers that connections on the current or specified virtual router can use:

    • Issue the tcp resequence-buffers connection-maximum command in Global Configuration mode.
      host1(config)#tcp resequence-buffers connection-maximum 50

      You can specify a value of zero (0) to turn off the connection maximum. You can use the no version to revert the connection maximum value to its default, 10 buffers.

    To specify the default buffer limit assigned to all TCP connections on a virtual router unless a specific limit is set for the virtual router in which the connection is established.

    • Issue the tcp resequence-buffers default-connection-maximum command in Global Configuration mode.
      host1(config)#tcp resequence-buffers default-connection-maximum 100

      You can specify a value of zero (0) to turn off the connection maximum. You can use the no version to revert the connection maximum value to its default, 10 buffers.

    Published: 2014-08-13