My friend jeff_duntemann
, no slouch in the technology department, was having some weird problems with his PC. Specifically, some websites, such as Lulu.com
and Vanguard, weren't letting him establish a secure connection. (I was more concerned about the Lulu site since that's where my book is sold from, but Jeff was more concerned about Vanguard so he could manage his money. Go figure.) The problem was, these web sites SHOULD work! And that's why I'll always have a job - things should work but they don't.
I can't take credit for this fix, though - Jeff finally got hold of somebody from Vanguard who understood his problem. "Your maximum transmission unit (MTU) is too big," they told him, and had him download drtcp.exe
, a tool which allowed him to fix the problem. It worked, but he didn't know why. Actually, I've been in computer networking for 10 years and I didn't know why either. So I did some research, and here's the answer. (This
web page from Cisco was helpful, but unless you've got a CCNA or are working on one, it's probably Greek.)
First, one needs to understand how computers talk. Say you want to download a 1 megabyte picture of Anna Kournikova. (Or Brad Pitt, but he doesn't do much for me.) Well, the server that has that picture breaks it down into packets of data. Each packet has a destination and return address, a sequence number (so it can be put back into order) and a bit of data. Each packet is put on the wire, and sent to your PC.
Every physical medium of transmission has a minimum and a maximum packet size, which is driven by the physics of sending electrical or optical signals down copper wire or fiber. Books have been written about this, many of which are great cures for insomnia. For our purposes, all we need to know is that Ethernet's default MTU is 1500 bytes. If you have high speed Internet at home or at the office, the connection from your PC is probably Ethernet, and so the PC sends everything out with a maximum packet size of 1500 unless told otherwise.
Well, the connection from your home or office to the server with Anna's picture on it is not Ethernet, and it has a different MTU. Since this problem first appeared on the Internet in the Reagan administration, routers are set to do two things. First, they "fragment" the too-big packets into a just-big-enough packet and a extra packet with the overflow. There are some problems with this, the biggest one is that the extra packet, because it's so small, can look like an attempt to hack the router. Second, they use a protocol called ICMP (Internet Control Message Protocol) to tell the sending machine to send smaller packets.
Here's where things get really interesting. ICMP was written a long time ago, and doesn't so much have security holes as no security at all. So, a lot of router admins filter (AKA "turn off") ICMP. Thus, the sending machine never hears that it's sending oversized packets, and just keeps on keeping on. Remember, the path to Anna's picture may be hitting dozens of routers on the way, and in theory at least, each and every packet could take a different path through the network.
If you're downloading Anna's picture from somebody's personal website, this is not much of a problem. The packets keep flowing, although they come down a little slower (because the router is dis-assembling and re-assembling them) but it works. If you are using a secure tunneling protocol (like Secure Socket Layer (SSL), the standard for banking and e-commerce transactions) you might have a problem.
To simplify greatly, SSL works by taking a regular old data packet, encrypting it, and tacking on "stuff" on both ends so it can get to where it's going and be decrypted. Because of this overhead, you could end up with "double fragments" - the router has to fragment an already-encrypted packet. You get a flood of fragments. Remember that the small packets look like hacks? If the SSL host you're communicating with is paranoid (and since they have your financial data they should be) they may interpret this flood as an attack and shut down the web page.
There are several fixes to the problem. However, unless you control at least one major router in the path from you to them, the only fix is do change your MTU on your PC. The suggested size to start with is 1400 bytes. If you want to know how to use this tool, click here
To summarize: Q: How do I know I have a problem?
A: If you are able to connect to a site, sign into the SSL (secure) side, but things quit working AFTER that. Q: How do I fix it?
A: Download and run DRTCP. Warning!
everybody's computer is different, so try this at your own risk! Edited to add another helpful link
. If you have a Linksys router connecting you to the Internet (and a lot of folks do) this link
will help you fix the problem at the router level, which is preferred.