BLACK HOLE ROUTERS

4/8/2005

Black Hole Routers are network devices that are supposed to forward information but instead discard (or appear to discard) some or all of the packets presented to them.

The most common black hole situation comes about when a device in the data path is presented with a packet that is larger than the maximum size it can handle. There are three ways that such a packet can be handled. First, it can be broken into two of more smaller fragments. Second, it can be discarded and the sender can be notified that the packet was dropped. Third, it can be discarded without notification.

Different packet size limits can come about when information is transferred from one transport medium to another. For example, if ethernet data is moved onto a token ring network. This is because different media have different packet size limits. Maximum packet sizes are also affected by encapsulation techniques. For example if ethernet data is put onto a DSL line using the PPPOE protocol, eight bytes must be appended to each packet, so the maximum packet size for the link is reduced by eight bytes. Technologies like Virtual Private Network tunneling can further reduce the maximum packet size.

The maximum packet size for a link is called the Maximum Transmission Unit (MTU). for TCP links, MSS is sometimes used instead of MTU. It is the MTU minus the length of TCP/IP header information.

Because packet fragmentation is undesirable for performance reasons, many links or individual systems will try to perform a Maximum Packet Usability Determination at the start of a data exchange. This process was defined in an RFC in 1193. ICMP messages of various length are sent with the Do Not Fragment flag set. Any device that can not forward the packet without fragmentation is supposed to drop the packet and return an ICMP reply containing the maximum packet size it will support. Conceptually, this allows the optimum packet size for a link to be determined very quickly. In order to handle the possibility that the link MTU might change later, all packets can be sent with the Do Not Fragment flag set and devices that drop packets are expected to notify the sender that the packet has been dropped.

In theory, this should work. And it often does. But some equipment does not comply with the standard. And some routers are deliberately configured not to pass ICMP packets in the belief that this increases link security by blocking an unnecessary protocol. Secure it may be. Capable of supporting large packets in data paths, it may not be.

The symptom of black hole routing on internet links is typically that older software that uses fixed, small packet sizes around 500 bytes will work. But that software that attempts to optimize the link will not. FTP and VNC, for example, are likely to experience black hole problems. Black hole testing can be done using ping by manipulating the size and fragment flag parameters. All pings should either be echoed or rejected with an indication that fragmentation is needed, but not allowed. Time outs indicate presence of a black hole router in the path. Judicious use of ping with the size, fragment, and TTL flags can isolate the offending router on an ordinary network. Identifying the black hole device if tunneling is used is much more difficult.

Return To Index Copyright 1994-2002 by Donald Kenney.