From: "David S. Miller" <davem@redhat.com>
To: Herbert Xu <herbert@gondor.apana.org.au>
Cc: kuznet@ms2.inr.ac.ru, jmorris@redhat.com, netdev@oss.sgi.com
Subject: Re: IPsec and Path MTU
Date: Thu, 17 Jun 2004 15:29:21 -0700 [thread overview]
Message-ID: <20040617152921.730892c7.davem@redhat.com> (raw)
In-Reply-To: <20040617213832.GC14089@gondor.apana.org.au>
On Fri, 18 Jun 2004 07:38:32 +1000
Herbert Xu <herbert@gondor.apana.org.au> wrote:
> Suppose that the MTU of 192.168.0.1 is 1500, and that the calculated MTU
> for the bundle is 1430.
>
> If there is a host 10.10.10.10 on the Internet or behind some sort
> a VPN where the path from 192.168.0.1 to it has an MTU of 1200,
> then by sending a 1430-byte packet to 10.10.10.10 from 192.168.0.2,
> we will get back an ICMP packet saying that the largest MTU for
> 192.168.0.2-10.10.10.10 is 1200.
>
> This will be successfully stored in the route entry. But the route
> entry's MTU is not used at all since the MTU of the bundle is deduced
> from the MTU of the path, 192.168.0.1. So we'll continue to send large
> packets to 10.10.10.10.
This is what Alexey is talking about. When we send a packet out for
an IPSEC rule, we have to remember the inner (per-transform pre-tunnel)
IP addresses (keyed by outer IP address and ESP/AH spi) in order to get
the ICMP PMTU messages handled correctly. We don't do this right now,
it's difficult and complicated work.
Tunnels are where do absolutely the wrong thing right now and PMTU does
not work.
What happens in your example is:
PACKET
transformed to --> [new IP hdr, ESP][Transformed PACKET]
ICMP's come back addressed to the IP address in "new IP hdr"
above. We need a way to go from that, plus the ESP spi, to the
inner transformed IP header information.
That is the missing link, and what we're not doing now.
It's an issue not specific to making the gateway be the sender of
the packet, it's an issue with tunnels in all cases currently.
next prev parent reply other threads:[~2004-06-17 22:29 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-06-15 12:43 IPsec and Path MTU Herbert Xu
2004-06-15 14:50 ` Michael Richardson
2004-06-16 11:43 ` Herbert Xu
2004-06-16 14:43 ` Michael Richardson
2004-06-18 7:35 ` Glen Turner
2004-06-16 12:10 ` Herbert Xu
2004-06-16 14:12 ` James Morris
2004-06-16 20:23 ` Alexey Kuznetsov
2004-06-16 20:49 ` David S. Miller
2004-06-16 23:11 ` Herbert Xu
2004-06-17 17:58 ` David S. Miller
2004-06-17 21:31 ` Herbert Xu
2004-06-17 22:22 ` David S. Miller
2004-06-17 23:09 ` Herbert Xu
2004-06-16 19:56 ` Alexey Kuznetsov
2004-06-16 23:13 ` Herbert Xu
2004-06-17 19:01 ` Alexey Kuznetsov
2004-06-17 21:38 ` Herbert Xu
2004-06-17 22:29 ` David S. Miller [this message]
2004-06-17 23:12 ` Herbert Xu
2004-06-17 23:14 ` David S. Miller
2004-06-17 23:18 ` Herbert Xu
[not found] ` <20040618202551.GA2733@ms2.inr.ac.ru>
2004-06-18 22:21 ` Herbert Xu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20040617152921.730892c7.davem@redhat.com \
--to=davem@redhat.com \
--cc=herbert@gondor.apana.org.au \
--cc=jmorris@redhat.com \
--cc=kuznet@ms2.inr.ac.ru \
--cc=netdev@oss.sgi.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).