From: Steffen Klassert <steffen.klassert@secunet.com>
To: David Miller <davem@davemloft.net>
Cc: eric.dumazet@gmail.com, herbert@gondor.hengli.com.au,
netdev@vger.kernel.org
Subject: Re: [PATCH 2/3] ipv4: Fix packet size calculation for IPsec packets in __ip_append_data
Date: Thu, 30 Jun 2011 11:06:23 +0200 [thread overview]
Message-ID: <20110630090623.GA13201@secunet.com> (raw)
In-Reply-To: <20110627.203938.1899202479649578621.davem@davemloft.net>
On Mon, Jun 27, 2011 at 08:39:38PM -0700, David Miller wrote:
> From: Steffen Klassert <steffen.klassert@secunet.com>
> Date: Wed, 22 Jun 2011 13:02:19 +0200
>
> > While reading through the code of __ip_append_data() I noticed that we
> > might use ip_ufo_append_data() for packets that will be IPsec transformed
> > later, is this ok? I don't know how ufo handling works, but I would guess
> > that it expects an udp header and not an IPsec header as the packets
> > transport header.
>
> Indeed, it could be a real problem.
Ok, so I'll send a patch to fix it up.
>
> > The IPsec mtu is 1438 here, so the first packet is too big.
> > xfrm4_tunnel_check_size() notices this and sends a ICMP_FRAG_NEEDED
> > packet that announces a mtu of 1438 to the original sender of the ping
> > packet. Unfortunately the sender is a local address, it's the IPsec
> > tunnel entry point. So we update the mtu for this connection to 1438.
> > Now, with the next packet xfrm_bundle_ok() notices that the path mtu has
> > changed, so it subtracts the IPsec overhead from the mtu a second time
> > and we end up with a mtu of 1374. This game goes until we reach a minimal
> > mtu of 494.
> >
> > Unfortunately I don't know how to fix this. Any ideas?
>
> If the generic PMTU handling in net/ipv4/route.c is adjusting the MTU
> for the IPSEC path's route, that would be the problem.
>
Yes, this is exactly what happens. We use icmp_send() to notify about
message size errors even for locally generated packets, this leads to
an incorrect pmtu update. Changing this to use ip_local_error() if we
have socket context fixes the problem. I'll send a patch for this too.
next prev parent reply other threads:[~2011-06-30 9:05 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-06-06 6:46 [PATCH 1/3] xfrm: Fix off by one in the replay advance functions Steffen Klassert
2011-06-06 6:48 ` [PATCH 2/3] ipv4: Fix packet size calculation for IPsec packets in __ip_append_data Steffen Klassert
2011-06-06 7:38 ` Eric Dumazet
2011-06-06 8:52 ` Steffen Klassert
2011-06-07 5:06 ` Eric Dumazet
2011-06-08 5:30 ` Steffen Klassert
2011-06-09 21:47 ` David Miller
2011-06-22 11:02 ` Steffen Klassert
2011-06-28 3:39 ` David Miller
2011-06-30 9:06 ` Steffen Klassert [this message]
2011-06-06 6:48 ` [PATCH 3/3] ipv4: Fix packet size calculation for raw " Steffen Klassert
2011-06-09 21:50 ` David Miller
2011-06-08 4:15 ` [PATCH 1/3] xfrm: Fix off by one in the replay advance functions David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20110630090623.GA13201@secunet.com \
--to=steffen.klassert@secunet.com \
--cc=davem@davemloft.net \
--cc=eric.dumazet@gmail.com \
--cc=herbert@gondor.hengli.com.au \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.