← Back
Cloudflare
Cloudflare One Client gains Dynamic Path MTU Discovery to eliminate network packet drops
Cloudflare · featureplatformperformanceapi · blog.cloudflare.com ↗

The "Silent Drop" Problem

Users frequently experience mysterious connection failures when moving between networks or encountering legacy infrastructure with strict Maximum Transmission Unit (MTU) limitations. This "PMTUD Black Hole" occurs when a router with a lower MTU limit silently drops oversized packets instead of sending ICMP feedback messages requesting smaller packets. Modern security protocols like those supporting FIPS 140-2 compliance add encryption overhead, making packets larger and more likely to trigger these silent failures on constrained networks like LTE/5G, satellite links, or public safety networks.

Cloudflare's Active Solution

Rather than passively waiting for ICMP error messages that may never arrive, Cloudflare implemented RFC 8899 Datagram Packetization Layer Path MTU Discovery. The client now actively probes the network path by:

  • Active probing: Sends encrypted packets of varying sizes to intelligently discover the maximum supported packet size
  • Binary search methodology: Tests MTUs from upper bounds down to the midpoint until pinpointing the exact capacity
  • Dynamic adjustment: Periodically validates and resizes the virtual interface MTU in real-time as network conditions change

This approach works seamlessly with MASQUE protocol and Cloudflare's open-source QUIC library, providing non-disruptive background negotiation that developers and users don't need to manage manually.

Real-World Impact

The feature addresses critical use cases from first responders to hybrid workers. Emergency responders using vehicle-mounted routers often navigate complex NAT-traversal and priority-routing layers that aggressively constrain MTU. Previously, Computer Aided Dispatch systems would disconnect frequently during tower handoffs. Remote workers in different countries encountering legacy middleboxes and double-NAT environments now experience seamless video calls and file transfers instead of timeouts.

Getting Started

Cloudflare One Client users with MASQUE protocol can enable Path MTU Discovery immediately at no additional cost. The feature works across Windows and other supported platforms. Detailed deployment documentation is available in the Cloudflare One developer portal.