This article provides information on how we should calculate TCP MSS (Maximum Segment Size) between BGP peers.
The MSS value advertised at the 3-way handshake is based on the interface MTU (Maximum Transmission Unit), whereas the MSS value used in the command show system connection extensive reflects the current MSS value used. This can differ from the MSS value advertised.
When a BGP session is established, the BGP peers negotiate the TCP MSS parameter with the lesser value between them. This article provides information how to calculate the actually negotiated TCP MSS value. The MSS is determined during TCP 3 way hand-shake, but we can understand the negotiated MSS value by checking the content of the captured BGP Open message. Two examples are presented here: one is an activated MD5 Authentication-key, and the other is a deactivated MD5 Authentication-key. The MSS value depends on the Options field length, which also depends on whether the MD5 Authentication-key is activated or not.
Topology
<---- BGP ----> [M5] ge-0/0/0 ---------------ge-1/0/0 [M10]
In the BGP configuration and topology given below, the output of command show system connections extensive indicates 1428 as the negotiated TCP-MSS value. In this case, the MD5 Authentication-key is activated on both routers.
M5> show system connections extensive Active Internet connections (including servers) Proto Recv-Q Send-Q Local Address Foreign Address (state) tcp4 0 0 1.1.1.1.49471 2.2.2.2.179 ESTABLISHED -- snip -- rxtcur: 1200 rxtshift: 0 rtseq: 2315687805 rttmin: 1000 mss: 1428 <<<<<<<<< Negotiated MSS (Sample 1*) M10> show system connections extensive Active Internet connections (including servers) Proto Recv-Q Send-Q Local Address Foreign Address (state) tcp4 0 0 2.2.2.2.179 1.1.1.1.49471 ESTABLISHED -- snip -- rxtcur: 1200 rxtshift: 0 rtseq: 4276796174 rttmin: 1000 mss: 1428 <<<<<<< Negotiated MSS (Sample 1*)
Config
=== M5 === interfaces { ge-0/0/0 { mtu 1582; unit 0 { family inet { mtu 1500; address 192.168.1.1/24; } family mpls { mtu 1568; } } } lo0 { unit 0 { family inet { address 1.1.1.1/32; } } } } routing-options { autonomous-system 2519; } protocols { bgp { group ibgp { type internal; authentication-key "$9$Hq5Q369pO1n6KM"; ## SECRET-DATA neighbor 2.2.2.2 { local-address 1.1.1.1; tcp-mss 1440; } } } ospf { area 0.0.0.0 { interface ge-0/0/0.0; interface lo0.0; } } } === M10 === interfaces { ge-1/0/0 { mtu 1582; unit 0 { family inet { mtu 1500; address 192.168.1.2/24; } family mpls { mtu 1568; } } } lo0 { unit 0 { family inet { address 2.2.2.2/32; } } } } routing-options { autonomous-system 2519; } protocols { bgp { group ibgp { type internal; authentication-key "$9$Hq5Q369pO1n6KM"; ## SECRET-DATA neighbor 1.1.1.1 { local-address 2.2.2.2; tcp-mss 1440; } } } ospf { area 0.0.0.0 { interface ge-1/0/0.0; interface lo0.0; } } }
On the other hand, in case the MD5 Authentication-key is deactivated on both routers, the output of the command show system connections extensive indicates 1440 as the negotiated TCP-MSS.
M5# deactivate protocols bgp group ibgp authentication-key M5# show |compare [edit protocols bgp group ibgp] ! inactive: authentication-key "$9$Hq5Q369pO1n6KM"; M5# commit commit complete M10# deactivate protocols bgp group ibgp authentication-key M10# show |compare [edit protocols bgp group ibgp] ! inactive: authentication-key "$9$Hq5Q369pO1n6KM"; M10# commit commit complete M5> show system connections extensive Active Internet connections (including servers) Proto Recv-Q Send-Q Local Address Foreign Address (state) tcp4 0 0 1.1.1.1.57208 2.2.2.2.179 ESTABLISHED -- snip -- rxtcur: 1200 rxtshift: 0 rtseq: 1547856802 rttmin: 1000 mss: 1440 <<<<< Negotiated MSS (Sample 2*) M10> show system connections extensive Active Internet connections (including servers) Proto Recv-Q Send-Q Local Address Foreign Address (state) tcp4 0 0 2.2.2.2.179 1.1.1.1.57208 ESTABLISHED -- snip -- rxtcur: 1200 rxtshift: 0 rtseq: 1353169490 rttmin: 1000 mss: 1440 <<<<< Negotiated MSS (Sample 2*)
In case the MD5 Authentication-key is activated on both routers, the MSS is calculated by the following equation.
MSS* = Etherframe(1518B)-MAC(DA/SA)/TYPE/FCS(18B)-IP(20B)-TCP(52B)=1428 Byte
From the captured BGP OPEN Message (No5), it is calculated as 1428(B), and if the above MSS* is smaller than the configured tcp-mss(1440B), the MSS* becomes the actually negotiated MSS(1428B < 1440B).
---------------------------------------------------------------------------------------------------------------------- No. Time Source Destination Protocol Length Info 5 1.899673 1.1.1.1 2.2.2.2 BGP 175 OPEN Message Frame 5: 175 bytes on wire (1400 bits), 175 bytes captured (1400 bits) Juniper Ethernet Ethernet II, Src: JuniperN_9a:a0:7f (00:12:1e:9a:a0:7f), Dst: JuniperN_9a:ae:f0 (00:12:1e:9a:ae:f0) Internet Protocol Version 4, Src: 1.1.1.1 (1.1.1.1), Dst: 2.2.2.2 (2.2.2.2) Version: 4 Header length: 20 bytes <<<<< IP header Differentiated Services Field: 0xc0 (DSCP 0x30: Class Selector 6; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) Total Length: 139 Identification: 0x8476 (33910) Flags: 0x02 (Don't Fragment) Fragment offset: 0 Time to live: 64 Protocol: TCP (6) Header checksum: 0xaf31 [correct] Source: 1.1.1.1 (1.1.1.1) Destination: 2.2.2.2 (2.2.2.2) Transmission Control Protocol, Src Port: 60916 (60916), Dst Port: bgp (179), Seq: 1, Ack: 1, Len: 67 Source port: 60916 (60916) Destination port: bgp (179) [Stream index: 0] Sequence number: 1 (relative sequence number) [Next sequence number: 68 (relative sequence number)] Acknowledgement number: 1 (relative ack number) Header length: 52 bytes <<<<<<< TCP header Flags: 0x18 (PSH, ACK) Window size value: 17136 [Calculated window size: 17136] [Window size scaling factor: 1] Checksum: 0x9e6c [validation disabled] Options: (32 bytes) [SEQ/ACK analysis] Border Gateway Protocol
In case the MD5 Authentication-key is deactivated on both routers, the MSS is calculated by the following equation.
MSS** = Etherframe1518(byte)-MAC(DA/SA)/TYPE/FCS(18byte)-IP(20byte)-TCP(32byte)=1448 Byte
From the captured BGP OPEN Message(No46), it is calculated as 1448(B), and if the above MSS** is larger than the configured tcp-mss(1440B), the configured tcp-mss becomes the actually negotiated MSS(1440B < 1448B).
---------------------------------------------------------------------------------------------------------------------- No. Time Source Destination Protocol Length Info 46 88.363456 1.1.1.1 2.2.2.2 BGP 155 OPEN Message Frame 46: 155 bytes on wire (1240 bits), 155 bytes captured (1240 bits) Juniper Ethernet Ethernet II, Src: JuniperN_9a:a0:7f (00:12:1e:9a:a0:7f), Dst: JuniperN_9a:ae:f0 (00:12:1e:9a:ae:f0) Internet Protocol Version 4, Src: 1.1.1.1 (1.1.1.1), Dst: 2.2.2.2 (2.2.2.2) Version: 4 Header length: 20 bytes <<<< IP header Differentiated Services Field: 0xc0 (DSCP 0x30: Class Selector 6; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) Total Length: 119 Identification: 0x0155 (341) Flags: 0x02 (Don't Fragment) Fragment offset: 0 Time to live: 255 Protocol: TCP (6) Header checksum: 0x7366 [correct] Source: 1.1.1.1 (1.1.1.1) Destination: 2.2.2.2 (2.2.2.2) Transmission Control Protocol, Src Port: bgp (179), Dst Port: 54950 (54950), Seq: 1, Ack: 68, Len: 67 Source port: bgp (179) Destination port: 54950 (54950) [Stream index: 2] Sequence number: 1 (relative sequence number) [Next sequence number: 68 (relative sequence number)] Acknowledgement number: 68 (relative ack number) Header length: 32 bytes <<<<<< TCP header Flags: 0x18 (PSH, ACK) Window size value: 16384 [Calculated window size: 16384] [Window size scaling factor: 1] Checksum: 0x82b2 [validation disabled] Options: (12 bytes) [SEQ/ACK analysis] Border Gateway Protocol OPEN Message Marker: 16 bytes Length: 67 bytes Type: OPEN Message (1) Version: 4 My AS: 65000 Hold time: 90 BGP identifier: 1.1.1.1 Optional parameters length: 38 bytes Optional parameters
When the MD5 authentication-key is activated, MSS is calculated as :
MSS* = Etherframe1518(B)-MAC(DA/SA)/TYPE/FCS(18B)-IP(20B)-TCP(52B)=1428 Byte
[1] If the configured tcp-mss is equal to or larger than the above MSS*, the negotiated MSS is 1428(B).
[2] If the configured tcp-mss is smaller than the above MSS*, the negotiated MSS is the configured tcp-mss.
This was verified with several configured tcp-mss values to understand the actually negotiated MSS.
| configured tcp-mss | Negotiated MSS(show system connections extensive) ----+--------------------+-------------------------------------------------- [2] | 1425 | 1425 [2] | 1426 | 1426 [2] | 1427 | 1427 [1] | 1428 | 1428 <<<< tcp-mss equals to above MSS* [1] | 1429 | 1428 [1] | 1430 | 1428 [1] | 1440 | 1428 <<<< Sample 1*
When the MD5 authentication-key is deactivated, MSS is calculated as :
MSS** = Etherframe1518(byte)-MAC(DA/SA)/TYPE/FCS(18byte)-IP(20byte)-TCP(32byte)=1448 Byte
[3] If the configured tcp-mss is equal to or larger than the above MSS**, the negotiated MSS is 1448(B).
[4] If the configured tcp-mss is smaller than the above MSS**, the negotiated MSS is the configured tcp-mss.
This was verified with several tcp-mss values to understand the actually negotiated MSS.
| configured tcp-mss | Negotiated MSS(show system connections extensive) ----+--------------------+-------------------------------------------------- [4] | 1440 | 1440 <<<< Sample 2* [4] | 1445 | 1445 [4] | 1446 | 1446 [4] | 1447 | 1447 [3] | 1448 | 1448 <<<< tcp-mss equal to above MSS** [3] | 1449 | 1448 [3] | 1450 | 1448