From: Steffen Klassert <steffen.klassert@secunet.com>
To: David Miller <davem@davemloft.net>
Cc: <alexander.h.duyck@redhat.com>, <alexander.duyck@gmail.com>,
<netdev@vger.kernel.org>
Subject: Re: Looking for a lost patch
Date: Wed, 27 May 2015 10:35:16 +0200 [thread overview]
Message-ID: <20150527083514.GB27342@secunet.com> (raw)
In-Reply-To: <20150521.172524.1057695410816294973.davem@davemloft.net>
On Thu, May 21, 2015 at 05:25:24PM -0400, David Miller wrote:
> From: Steffen Klassert <steffen.klassert@secunet.com>
> Date: Wed, 20 May 2015 08:32:23 +0200
>
> > On Tue, May 19, 2015 at 11:32:15AM -0700, Alexander Duyck wrote:
> >> On 05/19/2015 12:57 AM, Steffen Klassert wrote:
> >> >The MTU should be 1500. All the IPsec overhead is handled by PMTU
> >> >discovery, just like in the case we use IPsec without vti tunnels.
> >> >The IPv6 side of vti does it like that.
> >>
> >> The problem is the PMTU isn't communicated to things that make use
> >> of the tunnel. For example if I do a "ping -s 2000 x.x.x.x" across
> >> an IPv6 VTI interface it will fail currently as it assumes the MTU
> >> is 1500 and so it is fragmenting the ping packet at sizes that won't
> >> be communicated across the underlying interface.
> >
> > Well, the problem is that the local socket is still attached on the
> > skb. The socket gets an error notification if the packet is too big,
> > but ping does not care much about these error notifications.
> >
> > One option to get such applications to work is to orphan the skb
> > in the vti xmit function. Then the packet is not assumed to be
> > local, so PMTU discovery is triggered on that route.
> >
> > Something like this should work for IPv6:
>
> When a packet traverses software layered devices, we should not orphan
> the socket.
>
> In fact, we have taken great pains to make sure this works so that the
> socket memory accounting is done correctly on the original top-level
> socket.
I have not considered this as an official patch :)
It was more to demonstrate that PMTU discovery with IPsec tunnels can
work, so we don't need to reduce the MTU of the tunnel device.
We currently check if a socket is attached to a skb and do socket
error notification in this case, otherwise we do PMTU discovery if
the packet is too big. Looks like this socket check is not sufficient
if the packet is already transmitted through a tunnel device.
I wonder if we have something to know that a packet was already
transmitted through a tunnel device. We could switch from socket
notification to PMTU discovery in this case.
next prev parent reply other threads:[~2015-05-27 8:35 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-05-13 17:47 Looking for a lost patch Alexander Duyck
2015-05-18 7:38 ` Steffen Klassert
2015-05-18 16:02 ` Alexander Duyck
2015-05-19 7:57 ` Steffen Klassert
2015-05-19 18:32 ` Alexander Duyck
2015-05-20 6:32 ` Steffen Klassert
2015-05-21 2:06 ` Alexander Duyck
2015-05-21 21:25 ` David Miller
2015-05-27 8:35 ` Steffen Klassert [this message]
2015-05-27 15:46 ` David Miller
2015-05-28 5:51 ` Steffen Klassert
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150527083514.GB27342@secunet.com \
--to=steffen.klassert@secunet.com \
--cc=alexander.duyck@gmail.com \
--cc=alexander.h.duyck@redhat.com \
--cc=davem@davemloft.net \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.