Re: IPsec PMTUD problem - Patrick McHardy

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Patrick McHardy <kaber@trash.net>
To: Herbert Xu <herbert@gondor.apana.org.au>
Cc: Linux Netdev List <netdev@vger.kernel.org>
Subject: Re: IPsec PMTUD problem
Date: Tue, 03 Apr 2007 18:32:07 +0200	[thread overview]
Message-ID: <46128187.4090601@trash.net> (raw)
In-Reply-To: <20070403095510.GA7754@gondor.apana.org.au>

Herbert Xu wrote:
> On Mon, Apr 02, 2007 at 04:10:25PM +0200, Patrick McHardy wrote:
> 
>>I noticed a problem with PMTUD between two IPsec tunnel endpoints.
>>When sending a packet larger than the PMTU with IP_DF from one
>>tunnel endpoint to the other, xfrm4_output sends an ICMP frag.
>>required with the IPsec MTU. Since the addresses match the tunnel
>>endpoints, this updates the MTU for the XFRM route with the value
>>that was calculated for the entire bundle, which in turn causes
>>a decrease for the bundle, resulting in further ICMP frag. required
>>messages until the minimum is reached.
> 
> 
> I presume you're using the same pair of addresses inside and
> outside the tunnel? If so the problem is that the kernel doesn't
> distinguish between internal ICMP errors and external ones.
> So when an MTU update occurs for the internal pair the external
> pair is also affected.

Exactly.

> We'd need some field in the routing cache to distinguish the
> two pairs.

I'm not sure I understand how this would work, the ICMP message
looks the same in both cases. Or are you suggesting to
differentiate based on the source of the ICMP message?

> Of course the easy work-around is to use distinct addresses
> within IPsec tunnels.

Yes, that would work as a workaround, but it still seems like
something worth fixing.

next prev parent reply	other threads:[~2007-04-03 16:32 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2007-04-02 14:10 IPsec PMTUD problem Patrick McHardy
2007-04-03  9:55 ` Herbert Xu
2007-04-03 16:32   ` Patrick McHardy [this message]
2007-04-05 12:04     ` Herbert Xu
2007-04-05 12:09       ` Patrick McHardy
2007-04-05 12:12         ` Herbert Xu
2007-04-05 12:16           ` Patrick McHardy
2007-04-05 12:17             ` Herbert Xu

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=46128187.4090601@trash.net \
    --to=kaber@trash.net \
    --cc=herbert@gondor.apana.org.au \
    --cc=netdev@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.