On Wednesday, July 24, 2002, at 01:38 , Brian Gibbons wrote:
If the bank is going to block ICMP then they should drop the MTU on the Web Server's Internet interface to something like 1450, this should clamp the Server's TCP MSS to a lower value. Not a perfect solution but ....
If the bank is going to block ICMP, then they should take care to do it by sub-code so that they don't break PMTUD. Either that, or they should turn off PMTUD on their servers.
Having said that, the "I can't get a bank statement" issue currently being discussed on the ADSL list is not the above fault, it is affecting users with full MTU on Jetstart.
How sure are you that the *path* between users and the bank firewalls is contains no router interfaces with sub-1500 byte MTUs? Have you verified that 1500-byte datagrams with DF set are consistently carried successfully between Jetstart subscribers and other destinations?
It is well known that many implementations of HTTPS/SSL do not handle packet loss very well. Telecom use an overdraft in their shaping of Jetstart which causes TCP to start winding up to a full 8megs until the overdraft is hit, suddenly TCP is trying to drive 8Mb/s into a 128k pipe. There are truckloads of packets dropped on the floor before TCP sorts out this magnitude of "congestion", some SSL implementations never sort it out.
So it works fine until the user tries a larger download (bank statement), all they get is the evil hourglass.
Overdraft? What peculiar terminology. The worst thing you'd expect in a path throughput constriction from 8M to 128k is surely the loss of a window's worth of data. You'd expect to TCP to wind back to slow start, and you'd expect the in-flight pipeline to drain very rapidly. Performance would certainly be hit, but I don't think I would expect consistently stalled connections. The visible symptoms (large download gives "evil hourglass") sounds much more like a TCP session which is sufficiently long-lived for large segments to be sent by the bank's server, leading the session to trip over a crippled use of PMTUD by the server. Turning off HTTP/1.1 pipelining can sometimes help make the symptoms go away. You see similar symptoms with mail ("small messages get through, but messages longer than a few paragraphs remain in the queue and don't get delivered"). Joe - To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog