Path MTU discovery is used to discover the smallest MTU (Maximum Transmission Unit) between two nodes communicating on the Internet. We have seen how path MTU discovery can be broken by inappropriate filtering of all ICMP messages (so that the “Destination Unreachable” ICMP messages are not returned to the sending node).

It turns out that there is another way that Path MTU discovery can be broken – and that is through the use of RFC-1918 private addresses on the network path.

If several routers are chained together within an organisation (or an “autonomous system” – more on that term later!) some orgaisations will now try to conserve public IP addresses by using RFC-1918 private addresses within the organisation. Packets are passed router to router and only need to come from a router with a public IP address when they leave the border gateway of the organisation.

Consider two nodes communicating on the Internet, A and B. Between A and B there are four routers, R1, R2, R3 and R4. The route from R1 to R2 uses public IP addresses, but the route from R2 to R3 and R3 to R4 is set up with private networks using the RFC-1918 addresses on networks 192.168.1.0/24 and 192.168.2.0/24 (say). Furthermore, let us suppose that the MTU of the link between R3 and R4 is lower than that between R1 and R2 and also between R2 and R3.

Now consider what happens when node A sends a full size datagram to B with the Don’t Fragment bit set (because it is doing Path MTU discovery). It is transmitted without problems through R1 to R2, and then on to R3. However R3 cannot deliver the packet to R4 because the MTU is too low. The result is that the packet is discarded and an ICMP destination unreachable packet is returned to node A.

The problem is that the ICMP datagram generated by router R3 is going to have an RFC-1918 address for its source IP address. This will be returned to node A.

This may not be a problem, but if the first router (R1) has a firewall, it is not unusual to filter out all traffic with source addresses in the RFC-1918 address range (because these numbers are not routable on the public Internet). This will break path MTU discovery just as surely as filtering ICMP messages.