MSS, or maximum segment size, is the largest data payload that a device will accept from a network connection.
After reading this article you will be able to:
Copy article link
MSS (maximum segment size) limits the size of packets, or small chunks of data, that travel across a network, such as the Internet. All data that travels over a network is broken up into packets. Packets have several headers attached to them that contain information about their contents and destination. MSS measures the non-header portion of a packet, which is called the payload.
If a data packet is compared to a transport truck, with the header being the truck itself and the payload being the trailer and cargo, then MSS is like a scale that measures only the trailer. If the trailer weighs too much, then the truck is not allowed to continue to its destination.
More specifically, MSS is the largest TCP (Transport Control Protocol) segment size that a network-connected device can receive. MSS defines "segment" as only the length of the payload, not any attached headers. MSS is measured in bytes.
MSS is determined by another metric that has to do with packet size: MTU, or the maximum transmission unit, which does include the TCP and IP (Internet Protocol) headers. To continue the analogy, MTU measures the total weight of the truck and its trailer and cargo, instead of just the trailer and cargo.
Essentially, the MSS is equal to MTU minus the size of a TCP header and an IP header:
MTU - (TCP header + IP header) = MSS
One of the key differences between MTU and MSS is that if a packet exceeds a device's MTU, it is broken up into smaller pieces, or "fragmented." In contrast, if a packet exceeds the MSS, it is dropped and not delivered.
The Transport Control Protocol, or TCP, is a protocol that ensures data packets are delivered and received in order, with no dropped packets. Imagine if parcel delivery services called all package recipients ahead of time to make sure they would be home at a certain time before delivering packages, then sent word back to the sender to confirm they had been delivered. TCP works somewhat like that, with data packets as the "packages" being delivered.
TCP works by opening a connection between the two devices that are communicating via a process called a TCP handshake. The MSS is agreed on during the TCP handshake: both devices communicate the size of the packets they are able to receive (this can be called "MSS clamping"; see below). TCP adds a header to all packets to indicate which open connection each packet is a part of and what order the packets go in.
TCP headers are almost always 20 bytes* long. IP headers include information such as the source and destination IP address, and they are also 20 bytes long. Both TCP and IP packets include optional header fields that can make the headers longer, but these are almost never used.
*In computer science, a byte is a unit of memory size that represents eight binary digits; in other words, a combination of eight ones and zeroes.
Suppose a network router has an MTU of 1,500, meaning it only accepts packets up to 1,500 bytes long. (Longer packets will be fragmented.) What should the MSS for the router be set to?
MTU - (TCP header + IP header) = MSS
1,500 - (20 + 20) = 1,460
The router’s MSS should be set to 1,460 bytes. Packets with a payload size larger than 1,460 bytes will be dropped. (A device could send an overly large packet like this by mistake if it is not aware of the MTU and MSS settings of the routers in between it and another device. A process called path MTU discovery helps avoid such incidents.)
IPsec (Internet Protocol security) is the encrypted version of IP. Data packets sent using IPsec are scrambled so that only the two connected devices are able to interpret them, keeping their payload contents secure from anyone who might intercept the packets. IPsec is often used to set up Virtual Private Networks, or VPNs.
IPsec adds a few bytes to the length of a packet. On connections that use this encryption, MSS must take IPsec into account as well:
MTU - (TCP header + IP header + IPsec) = MSS
Occasionally, a router along a network path has an MTU value set lower than the typical 1,500 bytes. This can result in packet loss and can be difficult to discover.
To ensure packets still reach their destination in this situation, one option is to reduce the size of incoming packet payloads. This can be achieved by configuring the server to apply an MSS clamp: during the TCP handshake, the server can signal the MSS for packets it is willing to receive, "clamping" the maximum payload size from the other server. For example, if servers A and B are establishing a TCP connection and server B communicates an MSS of 1,436 bytes, server A will send packets with a maximum payload size of 1,436 bytes for the duration of the connection.
Another application of MSS clamping is in the case of GRE tunneling, where a 24-byte header is added to the original packet in order to send it to a new destination. If the original packet was larger than 1,476 bytes, this could make the new packet exceed the typical 1,500-byte MTU; an MSS clamp can be applied to require incoming packets to be less than 1,500 bytes even after the GRE header is applied.
To learn more about MTU and MSS, see What is MTU?