From: Steffen Klassert <steffen.klassert@secunet.com>
To: Karl Heiss <kheiss@gmail.com>
Cc: <netdev@vger.kernel.org>
Subject: Re: IPSEC: tunnel breakage with out-of-order IPv4 fragments
Date: Tue, 15 Jul 2014 11:16:13 +0200 [thread overview]
Message-ID: <20140715091613.GD6633@secunet.com> (raw)
In-Reply-To: <CAGugRbWL8Orkobwt4FENyswLsm1jWLBMdr-WJ6mCBhVn-xGwXw@mail.gmail.com>
On Mon, Jul 14, 2014 at 07:52:23AM -0400, Karl Heiss wrote:
> On Mon, Jul 14, 2014 at 5:33 AM, Steffen Klassert
> <steffen.klassert@secunet.com> wrote:
> >
> > Your tcpdump looks interesting. Is it possible that all your
> > fragmented packets have the id field set to 'id 0'? This should
> > be only the case if the DF flag is set on that packet, but this
> > is apparently not the case here. If all the fragmented packets
> > have id 0, it is not possible to determine the correct fragment
> > chain. If only one fragment gets lost, all further packets might
> > be reassembled wrong.
> >
>
> Yes, all fragments have 'id 0'.
>
> > When looking at the code, is seems that sctp sets the DF flag
> > on packets as the default. The IPsec encapsulation code copies
> > the DF bit from the inner header and sets 'id 0' in this case.
> > A first guess would be that someone removes the DF flag after
> > the IPsec encapsulation.
> >
> > Is the DF flag set on your inner sctp packets?
> >
>
> Yes, the inner packets have DF set, but the outer do not.
So we need to find where the DF flag disappears.
I tried to reproduce your issue with the current net tree,
but I was not able to do so.
With the plain net tree, all packets have the DF flag set
(sctp and esp), no fragments.
With the net tree and commit c08751c851b78514f6ec5 reverted,
I have some packets with the DF flag and some without. The
packets without the DF flag got fragmented after IPsec
processing. But even in this case, the ESP packet has the
DF flag set whenever the inner sctp packet has it set.
And also, the DF flag is set whenever a packet has 'id 0'.
The fragmented packets never have the 'id 0'.
Can you describe your usecase more precisely? Do you use
any additional tunnel like ipip/gre etc. or packet mangling?
next prev parent reply other threads:[~2014-07-15 9:16 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-07-10 14:57 IPSEC: tunnel breakage with out-of-order IPv4 fragments Karl Heiss
2014-07-10 15:11 ` Karl Heiss
2014-07-11 11:00 ` Steffen Klassert
2014-07-11 12:51 ` Karl Heiss
2014-07-14 9:33 ` Steffen Klassert
2014-07-14 11:52 ` Karl Heiss
2014-07-15 9:16 ` Steffen Klassert [this message]
2014-07-15 12:13 ` Karl Heiss
2014-07-16 10:59 ` Steffen Klassert
2014-07-16 11:49 ` Karl Heiss
2014-07-16 12:26 ` Karl Heiss
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140715091613.GD6633@secunet.com \
--to=steffen.klassert@secunet.com \
--cc=kheiss@gmail.com \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).