How to calculate TCP-MSS value between BGP peers

This article provides information on how we should calculate TCP MSS (Maximum Segment Size) between BGP peers.

The MSS value advertised at the 3-way handshake is based on the interface MTU (Maximum Transmission Unit), whereas the MSS value used in the command show system connection extensive reflects the current MSS value used. This can differ from the MSS value advertised.

When a BGP session is established, the BGP peers negotiate the TCP MSS parameter with the lesser value between them. This article provides information how to calculate the actually negotiated TCP MSS value. The MSS is determined during TCP 3 way hand-shake, but we can understand the negotiated MSS value by checking the content of the captured BGP Open message. Two examples are presented here: one is an activated MD5 Authentication-key, and the other is a deactivated MD5 Authentication-key. The MSS value depends on the Options field length, which also depends on whether the MD5 Authentication-key is activated or not.
Topology

In the BGP configuration and topology given below, the output of command show system connections extensive indicates 1428 as the negotiated TCP-MSS value. In this case, the MD5 Authentication-key is activated on both routers.

Config

On the other hand, in case the MD5 Authentication-key is deactivated on both routers, the output of the command show system connections extensive indicates 1440 as the negotiated TCP-MSS.

In case the MD5 Authentication-key is activated on both routers, the MSS is calculated by the following equation.

MSS* = Etherframe(1518B)-MAC(DA/SA)/TYPE/FCS(18B)-IP(20B)-TCP(52B)=1428 Byte

From the captured BGP OPEN Message (No5), it is calculated as 1428(B), and if the above MSS* is smaller than the configured tcp-mss(1440B), the MSS* becomes the actually negotiated MSS(1428B < 1440B).

In case the MD5 Authentication-key is deactivated on both routers, the MSS is calculated by the following equation.

MSS** = Etherframe1518(byte)-MAC(DA/SA)/TYPE/FCS(18byte)-IP(20byte)-TCP(32byte)=1448 Byte

From the captured BGP OPEN Message(No46), it is calculated as 1448(B), and if the above MSS** is larger than the configured tcp-mss(1440B), the configured tcp-mss becomes the actually negotiated MSS(1440B < 1448B).

When the MD5 authentication-key is activated, MSS is calculated as :

MSS* = Etherframe1518(B)-MAC(DA/SA)/TYPE/FCS(18B)-IP(20B)-TCP(52B)=1428 Byte

[1] If the configured tcp-mss is equal to or larger than the above MSS*, the negotiated MSS is 1428(B).

[2] If the configured tcp-mss is smaller than the above MSS*, the negotiated MSS is the configured tcp-mss.

This was verified with several configured tcp-mss values to understand the actually negotiated MSS.

When the MD5 authentication-key is deactivated, MSS is calculated as :

MSS** = Etherframe1518(byte)-MAC(DA/SA)/TYPE/FCS(18byte)-IP(20byte)-TCP(32byte)=1448 Byte

[3] If the configured tcp-mss is equal to or larger than the above MSS**, the negotiated MSS is 1448(B).

[4] If the configured tcp-mss is smaller than the above MSS**, the negotiated MSS is the configured tcp-mss.

This was verified with several tcp-mss values to understand the actually negotiated MSS.

 

About the author

Prasanna

Leave a Comment