From: Patrick McHardy <kaber@trash.net>
To: Lennert Buytenhek <buytenh@wantstofly.org>
Cc: Ludo Stellingwerff <ludo@protactive.nl>,
Herbert Xu <herbert@gondor.apana.org.au>,
netdev@oss.sgi.com
Subject: Re: [22/*] [NETFILTER] Use correct IPsec MTU in TCPMSS
Date: Sun, 20 Mar 2005 18:49:43 +0100 [thread overview]
Message-ID: <423DB7B7.1070604@trash.net> (raw)
In-Reply-To: <20050320171707.GE4201@xi.wantstofly.org>
Lennert Buytenhek wrote:
> In my situation, there are three different sites in the same city
> (Amsterdam), interconnected using a shared L2 vlan, and six routers
> (A1, A2, B1, B2, C1, C2) on that vlan, two per site for redundancy
> reasons. Each router runs ospf.
>
> The vlan is provided to us by a telco that we do not necessarily trust.
> So ideally, we'd like all traffic that goes over the vlan (modulo ARPs
> and STP and stuff) to be encrypted. ("-o eth3 -j ENCRYPT")
>
> The problem I kept running into with tunnel mode is that tunnel
> mode SPD rules appear to dictate routing policy in a way that's not
> compatible with dynamic routing.
>
> I.e., a line like:
>
> spdadd 10.10.1.0/24 10.0.1.0/24 any -P out ipsec esp/tunnel/1.2.3.4-5.6.7.8/require;
>
> effectively says "All traffic from 10.10.1.0/24 to 10.0.1.0/24 will
> be sent over a tunnel with local endpoint 1.2.3.4 and remote endpoint
> 5.6.7.8", but:
> - I have no idea beforehand what address ranges are going to be routed
> over this vlan. (Customers might send traffic with source addresses
> in address ranges that they don't announce to us (asymmetric routing),
> and I don't want those packets to remain unencrypted just because they
> don't match the SPD rule.) A 0.0.0.0/0 0.0.0.0/0 rule would not be
> appropriate either since that'd suck _all_ traffic into this tunnel
You can specify an ifindex for oif in the selector, but you need
to use the xfrm_user interface.
> - I have no idea beforehand what the remote nexthop is going to be. A1
> might ordinarily send its traffic for site B to B1, but if B1 fails
> it'll want to start using B2 instead, which would be prevented by the
> SPD rule hardcoding the remote tunnel endpoint to B1.
>
> The workaround we tried at first was to create GRE tunnels between each
> pair of routers on the vlan, and to run ospf over the tunnels instead of
> directly over the vlan interface. That gave MTU problems, though, which
> made us just forget about ipsec altogether and use vtund instead, hardly
> better than nothing. (Now that Herbert has submitted a number of fixes
> for ipsec MTU issues with tunnels, I guess I should go and give the
> GRE-over-ipsec setup a go again.)
Hmm .. sounds like using the routing realm in the selector would
solve this while avoiding the GRE overhead.
Regards
Patrick
next prev parent reply other threads:[~2005-03-20 17:49 UTC|newest]
Thread overview: 114+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-02-14 22:10 [1/4] [IPSEC] Merge xfrm[46]_bundle/stale_bundle Herbert Xu
2005-02-14 22:12 ` [2/4] [IPSEC] Add xfrm_state_mtu Herbert Xu
2005-02-14 22:14 ` [3/4] [IPSEC] Add route element to xfrm_dst Herbert Xu
2005-02-14 22:16 ` [4/4] [IPSEC] Store MTU at each xfrm_dst Herbert Xu
2005-02-15 15:53 ` James Morris
2005-02-15 20:31 ` Herbert Xu
2005-02-16 10:37 ` [5/*] [IPSEC] Use dst_mtu in xfrm[46]_output Herbert Xu
2005-02-16 11:08 ` [6/*] [IPSEC] Fix xfrm[46]_update_pmtu to update top dst Herbert Xu
2005-02-16 11:38 ` [7/*] [IPSEC] Get metrics for xfrm_dst from " Herbert Xu
2005-03-07 5:47 ` David S. Miller
2005-03-07 10:41 ` Herbert Xu
2005-03-07 5:35 ` [6/*] [IPSEC] Fix xfrm[46]_update_pmtu to update " David S. Miller
2005-03-07 10:39 ` Herbert Xu
2005-03-07 5:33 ` [5/*] [IPSEC] Use dst_mtu in xfrm[46]_output David S. Miller
2005-03-07 11:45 ` [10/*] [TCP] Get rid of dst_ptmu/ext2_header_len Herbert Xu
2005-03-07 17:33 ` David S. Miller
2005-03-07 5:32 ` [4/4] [IPSEC] Store MTU at each xfrm_dst David S. Miller
2005-03-07 10:35 ` [9/*] [IPSEC] Check dst validity harder in xfrm_bundle_ok Herbert Xu
2005-03-07 17:32 ` David S. Miller
2005-03-08 10:27 ` [11/*] [NET] Move dst_release out of dst->ops->check Herbert Xu
2005-03-08 12:50 ` YOSHIFUJI Hideaki / 吉藤英明
2005-03-11 2:17 ` David S. Miller
2005-03-14 10:26 ` [12/*] [IPSEC] Handle local_df in IPv4 Herbert Xu
2005-03-14 10:53 ` [13/*] [IPV4] Fix room calculation in icmp_send Herbert Xu
2005-03-14 11:10 ` [14/*] [IPV6] Reload skb->dst after xfrm6_route_forward Herbert Xu
2005-03-15 5:27 ` David S. Miller
2005-03-15 9:19 ` [15/*] [INET] Fix IPsec calculation in ip_append_data/ip6_append_data Herbert Xu
2005-03-15 9:58 ` [16/*] [INET] Take IPsec overhead into account in tunnels Herbert Xu
2005-03-15 10:05 ` [17/*] [NET] Replace dst_pmtu with dst_mtu Herbert Xu
2005-03-15 18:24 ` David S. Miller
2005-03-15 19:02 ` Patrick McHardy
2005-03-15 20:40 ` Replace send_unreach with icmp_send Herbert Xu
2005-03-15 20:48 ` Patrick McHardy
2005-03-16 10:51 ` [IPV4] Make ipt_REJECT use icmp_send again Herbert Xu
2005-03-16 19:00 ` Patrick McHardy
2005-03-16 22:44 ` David S. Miller
2005-03-17 10:51 ` [IPV4] Send TCP reset through dst_output in ipt_REJECT Herbert Xu
2005-03-17 18:06 ` David S. Miller
2005-03-15 20:31 ` [17/*] [NET] Replace dst_pmtu with dst_mtu Herbert Xu
2005-03-15 10:20 ` [16/*] [INET] Take IPsec overhead into account in tunnels Lennert Buytenhek
2005-03-15 10:27 ` Herbert Xu
2005-03-15 18:20 ` David S. Miller
2005-03-18 9:03 ` [21/*] [IPv4] Fix MTU check in ipmr_queue_xmit Herbert Xu
2005-03-18 9:11 ` [22/*] [NETFILTER] Use correct IPsec MTU in TCPMSS Herbert Xu
2005-03-18 9:19 ` [23/*] [IPV4] Kill remaining unnecessary uses of dst_pmtu Herbert Xu
2005-03-18 10:07 ` [24/*] [IPSEC] Get ttl from child instead of path Herbert Xu
2005-03-18 10:11 ` [25/*] [NET] Kill unnecessary uses of dst_path_metric Herbert Xu
2005-03-18 11:06 ` [26/*] [NET] Kill dst_pmtu/dst_path_metric Herbert Xu
2005-03-18 11:28 ` [27/*] [NET] Make dst_allfrag use dst instead of dst->path Herbert Xu
2005-03-18 18:47 ` David S. Miller
2005-03-18 18:46 ` [26/*] [NET] Kill dst_pmtu/dst_path_metric David S. Miller
2005-03-18 18:44 ` [25/*] [NET] Kill unnecessary uses of dst_path_metric David S. Miller
2005-03-18 18:43 ` [24/*] [IPSEC] Get ttl from child instead of path David S. Miller
2005-03-18 18:41 ` [23/*] [IPV4] Kill remaining unnecessary uses of dst_pmtu David S. Miller
2005-03-18 18:40 ` [22/*] [NETFILTER] Use correct IPsec MTU in TCPMSS David S. Miller
2005-03-20 15:46 ` Patrick McHardy
2005-03-20 16:32 ` Ludo Stellingwerff
2005-03-20 17:17 ` Lennert Buytenhek
2005-03-20 17:49 ` Patrick McHardy [this message]
2005-03-20 18:11 ` Ludo Stellingwerff
2005-03-20 18:22 ` Patrick McHardy
2005-03-20 18:43 ` jamal
2005-03-20 19:10 ` Patrick McHardy
2005-03-30 9:49 ` Extending xfrm_selector (Was: [22/*] [NETFILTER] Use correct IPsec MTU in TCPMSS) Herbert Xu
2005-03-23 3:49 ` [22/*] [NETFILTER] Use correct IPsec MTU in TCPMSS David S. Miller
2005-03-23 4:03 ` Patrick McHardy
2005-03-24 5:05 ` Netfilter+IPsec Patrick McHardy
2005-03-24 5:43 ` Netfilter+IPsec David S. Miller
2005-03-25 2:53 ` Netfilter+IPsec Herbert Xu
2005-03-25 5:10 ` Netfilter+IPsec Patrick McHardy
2005-03-23 9:24 ` [22/*] [NETFILTER] Use correct IPsec MTU in TCPMSS Herbert Xu
2005-03-18 18:39 ` [21/*] [IPv4] Fix MTU check in ipmr_queue_xmit David S. Miller
2005-03-15 18:18 ` [15/*] [INET] Fix IPsec calculation in ip_append_data/ip6_append_data David S. Miller
2005-03-16 11:31 ` Herbert Xu
2005-03-16 22:02 ` David S. Miller
2005-03-21 16:14 ` Mika Penttilä
2005-03-21 20:28 ` Herbert Xu
2005-03-21 21:29 ` Mika Penttilä
2005-03-21 22:04 ` Herbert Xu
2005-03-15 5:26 ` [13/*] [IPV4] Fix room calculation in icmp_send David S. Miller
2005-03-15 5:25 ` [12/*] [IPSEC] Handle local_df in IPv4 David S. Miller
2005-03-15 18:25 ` YOSHIFUJI Hideaki / 吉藤英明
2005-03-15 18:28 ` YOSHIFUJI Hideaki / 吉藤英明
2005-03-28 20:10 ` [4/4] [IPSEC] Store MTU at each xfrm_dst Patrick McHardy
2005-03-28 23:30 ` [IPSEC] Move xfrm_flush_bundles into xfrm_state GC Herbert Xu
2005-03-31 0:10 ` Patrick McHardy
2005-04-01 5:21 ` David S. Miller
2005-03-28 23:39 ` Checking SPI in xfrm_state_find Herbert Xu
2005-03-31 0:13 ` Patrick McHardy
2005-03-31 0:46 ` Herbert Xu
2005-04-01 5:23 ` David S. Miller
2005-04-02 0:49 ` [IPSEC]: Kill nested read lock by deleting xfrm_init_tempsel Herbert Xu
2005-04-02 1:20 ` David S. Miller
2005-04-02 2:09 ` Herbert Xu
2005-04-03 16:48 ` Patrick McHardy
2005-04-05 10:39 ` Herbert Xu
2005-04-05 20:01 ` Patrick McHardy
2005-04-06 2:21 ` Herbert Xu
2005-04-21 23:35 ` David S. Miller
2005-04-21 23:52 ` Herbert Xu
2005-04-21 23:53 ` Patrick McHardy
2005-04-22 3:13 ` David S. Miller
2005-04-03 17:00 ` Checking SPI in xfrm_state_find Patrick McHardy
2005-02-15 8:10 ` [3/4] [IPSEC] Add route element to xfrm_dst Mika Penttilä
2005-02-15 9:53 ` Herbert Xu
2005-02-15 10:22 ` Mika Penttilä
2005-03-07 5:28 ` David S. Miller
2005-03-07 10:02 ` Herbert Xu
2005-03-07 10:16 ` [IPSEC] Kill redundan dst_release check in xfrm_dst_destroy Herbert Xu
2005-03-07 17:35 ` David S. Miller
2005-03-14 11:52 ` [3/4] [IPSEC] Add route element to xfrm_dst Patrick McHardy
2005-03-14 20:32 ` Herbert Xu
2005-03-15 19:05 ` Patrick McHardy
2005-03-07 5:23 ` [2/4] [IPSEC] Add xfrm_state_mtu David S. Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=423DB7B7.1070604@trash.net \
--to=kaber@trash.net \
--cc=buytenh@wantstofly.org \
--cc=herbert@gondor.apana.org.au \
--cc=ludo@protactive.nl \
--cc=netdev@oss.sgi.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).