14

I've found a lot of information specifying that this is the case, however, I am really looking for the reason behind this. Why is it necessary? Is it necessary?

Aiden Thompson
  • 243
  • 1
  • 2
  • 5

1 Answers1

14

The DF flag instructs routers who would normally fragment the packet due to it being too large for a link's MTU (and potentially deliver it out of order due to that fragmentation) to instead drop the packet and return an ICMP Fragmentation Needed packet, allowing the sending host to account for the lower MTU on the path to the destination host. This process is called "Path MTU discovery".

It's generally better to leave PMTUD alone and let it do its work, as opposed to having your TCP stack dealing with out of order fragments. However, in some cases (mainly when the necessary ICMP is blocked) the PMTUD doesn't work, and the connection breaks.

That's when you'll want to have the DF flag unset - when PMTUD can't function properly and connection problems result.

Shane Madden
  • 112,982
  • 12
  • 174
  • 248
  • 1
    Is there a reason that encrypted traffic, ie. ssh and https traffic shouldn't be fragmented? – Aiden Thompson Nov 16 '13 at 02:22
  • 5
    See also ["If I catch you blocking ICMP I will hunt you down, eviscerate you, and strangle you with your own entrails"](http://serverfault.com/questions/84963/why-not-block-icmp/84981#84981) – voretaq7 Nov 16 '13 at 07:03
  • 1
    @AidenThompson Generally, letting PMTUD do its thing instead of letting fragmentation happen is better for performance for all TCP connections, including SSH and HTTPS. – Shane Madden Nov 16 '13 at 07:18
  • 2
    (I.e., it has nothing to do with encryption, and everything to do with TCP.) –  Nov 16 '13 at 19:49
  • This is one of those things that server and network worlds will never agree upon. – Smithers May 05 '15 at 14:54