I have a Hurricane Electric IPv6 tunnel that runs on my home Cisco 887VA. After setting the tunnel up, I was having issues connecting to IPv6-enabled websites, which would never load consistently. If your first thought was “MTU blackholing”, then you weren’t far off. But it’s a bit more complicated than that.
For those who don’t know, MTU refers to the maximum size of packet that can be transmitted on a network for a specific protocol. To work the value out, systems use Path MTU Discovery. For IPv6, PMTUD relies on ICMPv6 type 2 - Packet too big messages arriving from hosts in the path that have smaller MTUs. When the sender receives a Packet too big message, it adjusts its own MTU size to reflect this, and packets larger than this value then get fragmented.
In real life, as ICMP/v6 is (sadly) often blocked in the Internet, you need to manually set the MTU for tunnels. In my case, this was already correctly set to account for PPPoE and 6to4 encapsulation.
Instead, the issue had to do with setting the TCP Maximum Segment Size, the largest possible size of a packet payload which does not include the IP and TCP headers.
Setting the TCP MSS ensures that the data payload of a
packet will fit within a desired MTU. For IPv4, it is usually set to be 40
bytes lower than the MTU value, as the IP + TCP headers are 40 bytes in
total. To set it, I was able to use the
ip tcp adjust-mss option on the
Cisco box. There was no equivalent command for IPv6.
Researching the issue revealed the version I was running at the time, 15.1(0), had no way of adjusting TCP segment sizes for IPv6. My tunnel was doomed to behave inconsistently unless I upgraded the firmware.
The newer versions of IOS can do it. But it’s not what
you think: In versions since 15.2(4)M, the command
ip tcp adjust-mss applies
to both IPv4 and IPv6. Although they have… different header sizes.
The tunnel started working after upgrading the firmware and making the change. Doing so also introduced 20 bytes of overhead for all IPv4 TCP connections.
But at least IPv6 works now.
It’s just gone past 8 PM.
Time to relax, to unwind, to eat some dinner and watch some Netflix. But something’s wrong. Netflix refuses to play. It’s complaining I’m using a proxy.
It appears that my London-based Hurricane Electric assigned IPv6 block is geo-located in the US.
With another sigh, I disable IPv6 in the browser, quietly
weeping in my bowl of
mac and cheese porridge.