When security best practices collide (Crippling iSCSI in Windows)
As a security guy, I can tell you – There are a lot of really good security best practices to be applied across all systems, applications, servers and a world over. But when implemented unchecked – Problems will arise.
What I am talking about specifically is this little doozy – EnablePMTUDiscovery
Value name: EnablePMTUDiscovery
Key: Tcpip\Parameters
Value Type: REG_DWORD
Valid Range: 0, 1 (False, True)
Default: 1 (True)
The following list describes the parameters that you can use with this registry value:
Important Setting EnablePMTUDiscovery to 0 negatively affects TCP/IP performance and throughput. Even though Microsoft recommends this setting, it should not be used unless you are fully aware of this performance loss.
That little excerpt taken from:
How to harden the TCP/IP stack against denial of service attacks in Windows 2000
This KB article is still used and is applicable to the Windows 2003 space, but what does this do exactly?
This will drop all transmissions over TCP/IP down to 576 byte packets. Oh and this is a global setting.
So, you go to connect up to an iSCSI LUN, and it connects up just fine.
Your host is working, your storage is working everything is all doozy.
When you start to try to actually -use- that connection for storage though, you’ll begin to experience exponential latency. This latency will translate into IOPS problems and access to the disk, masking this making it appear to be a disk issue. This effectively cripples your application, yet is hidden so well from the system as a problem without sniffing or using something like mturoute you’d never know it is happening.
MTURoute is your friend and will help you determine your current MTU
With that said, on any systems with iSCSI connectivity, I strongly encourage you to NOT disable this setting, ensuring that EnablePMTUDiscovery is always set to 1
Thanks for your time!
Daniel Craig
Hi there, I was looking around for a while searching for security technology and I happened upon this site and your post regarding curity best practices collide (Crippling iSCSI in Windows) | Christopher Kusek, Technology Evangelist, I will definitely this to my security technology bookmarks!