MTU and IP Fragmentation

Every network link has a maximum packet size it can handle. This limit is called the Maximum Transmission Unit (MTU). When a packet is too big for a link it needs to cross, something has to give.

The Internet's solution? Chop the packet into pieces, send them separately, and hope they all arrive so the destination can glue them back together.

This is IP fragmentation. It sounds elegant. It's actually a source of significant problems.

What Is MTU?

The Maximum Transmission Unit is exactly what it sounds like: the largest packet a network link can transmit in one piece. MTU is measured in bytes and includes the IP header and payload.

Ethernet—the technology connecting most devices to networks—has an MTU of 1500 bytes. This number has become the de facto standard for Internet traffic, not because it's optimal, but because it's what Ethernet settled on decades ago and everything else adapted.

Other technologies have different MTUs. VPNs and tunnels add encapsulation overhead, effectively reducing the usable MTU. PPPoE (common for DSL) drops it to 1492 bytes. Some data center networks use "jumbo frames" with 9000-byte MTUs for efficiency—but only internally, where they control every link.

Path MTU: The Bottleneck Problem

A packet traveling across the Internet doesn't traverse a single link. It hops through dozens of routers, each connecting different network segments with potentially different MTUs.

The path MTU is the smallest MTU of any link along the route. If your packet travels through fifteen links and fourteen can handle 1500 bytes but one maxes out at 1400, your path MTU is 1400.

This is where fragmentation enters the picture.

How Fragmentation Works

When a router receives a packet larger than the outgoing link's MTU, it has a choice: fragment or fail.

If fragmentation is allowed, the router splits the packet into smaller pieces. Each fragment gets its own IP header with:

• An identification number (same across all fragments from one packet)
• A fragment offset (where this piece belongs in the original)
• A flag indicating whether more fragments follow

The fragments travel independently—potentially taking different paths—and the destination reassembles them into the original packet.

A 3000-byte packet crossing a 1500-byte link becomes two fragments: one with 1480 bytes of data, another with the remainder. Simple enough.

Why Fragmentation Is Terrible

Fragmentation looks like an elegant solution. In practice, it's a cascade of problems.

Lost fragments kill entire packets. If any single fragment is lost, the entire original packet is lost. The destination can't use partial data—it waits for all pieces, times out, and the source retransmits everything. You've multiplied your failure modes by the number of pieces.

Processing overhead compounds. The fragmenting router must allocate memory, copy data, and create new headers for each piece. The destination must buffer fragments, track arrivals, and reassemble. This work happens on every fragmented packet.

Security devices hate fragments. Firewalls and intrusion detection systems need to inspect packet contents. Fragments arrive independently, potentially out of order. Many security devices simply drop fragments rather than attempt reassembly—your traffic vanishes into a black hole.

Troubleshooting becomes archaeology. Packet captures show fragments as separate entries. Correlating them requires manual inspection of identification fields. When something goes wrong, finding the cause takes longer.

The Don't Fragment Flag

IPv4 includes a Don't Fragment (DF) flag. When set, routers are prohibited from fragmenting the packet. If it's too big for a link, the router drops it and sends back an ICMP "Fragmentation Needed" message telling the source the maximum size that would have worked.

Modern TCP implementations set DF by default. They'd rather learn about MTU limitations and adjust than suffer fragmentation's penalties. This approach—called Path MTU Discovery—lets the source send optimally-sized packets from the start.

IPv6: No More Router Fragmentation

IPv6 took a harder line. Routers are completely prohibited from fragmenting packets. Ever.

If an IPv6 packet is too big for the next link, the router drops it and sends an ICMPv6 "Packet Too Big" message. The source must reduce packet size or fragment before sending (though avoiding fragmentation entirely is strongly preferred).

This pushes MTU handling to endpoints, where the full context of the communication exists. The network stays simple; endpoints handle complexity.

IPv6 also mandates a minimum MTU of 1280 bytes. Every IPv6 link must support at least this size, giving sources a guaranteed baseline.

When MTU Problems Bite

MTU issues have a distinctive symptom pattern:

• Websites partially load, then hang
• SSH connects but freezes when you type
• VPNs establish but pass no traffic
• Large file transfers stall while small ones work

Small packets slip through fine. Large packets hit the MTU ceiling and disappear—often silently, because ICMP messages get blocked by overzealous firewalls.

The classic causes:

PPPoE connections add 8 bytes of overhead. Your 1500-byte MTU becomes effectively 1492. Applications assuming 1500 bytes break.

VPN tunnels wrap packets in additional headers—often 50-100 bytes. Traffic that fit before no longer does.

Tunneling protocols (6to4, GRE, IPsec) all add encapsulation overhead that reduces effective MTU.

Finding the Problem

The diagnostic technique is simple: send packets of known sizes with the Don't Fragment flag set.

ping -M do -s 1472 destination.com

This sends 1500-byte packets (1472 bytes of data plus 28 bytes of ICMP and IP headers). If they fail but smaller packets succeed, you've found an MTU bottleneck.

Binary search narrows it down: try 1400, then 1450 or 1350 based on results, until you find the exact limit.

Fixing It

Once you know the path MTU, configure your interface to match:

ip link set dev eth0 mtu 1400

For persistent issues (like a VPN you use daily), adjusting MTU on your endpoint is usually simpler than convincing every router along the path to handle your oversized packets gracefully.

For networks you control entirely—data centers, internal infrastructure—jumbo frames with larger MTUs can improve efficiency. But only when every device on the path supports them. One standard-MTU link in the middle, and you're back to fragmentation.

The Larger Lesson

MTU and fragmentation reveal something about network design: the Internet is a patchwork. Different technologies, different eras, different constraints—all stitched together.

Fragmentation was the compromise that let incompatible link sizes coexist. Path MTU Discovery was the refinement that let endpoints route around fragmentation's problems. IPv6's prohibition on router fragmentation was the recognition that the compromise created more problems than it solved.

The 1500-byte limit persists not because it's optimal but because changing it would require coordinating millions of independent networks. So we work around it, carefully sizing packets to fit pipes that were designed for a different era.

When your connection hangs mysteriously, when large transfers fail while small ones succeed, when VPNs connect but pass nothing—check the MTU. Somewhere along the path, a packet is too big for the pipe it's trying to fit through.