From mboxrd@z Thu Jan 1 00:00:00 1970 From: David Ahern Subject: Re: ip6-in-ip{4,6} ipsec tunnel issues with 1280 MTU Date: Sat, 28 Apr 2018 19:05:53 -0600 Message-ID: References: <1524743477.2658.38.camel@redhat.com> <36807b4bda59b9145a69cc949facbb2b@codeaurora.org> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Cc: Paolo Abeni , netdev@vger.kernel.org, maloney@google.com, edumazet@google.com, netdev-owner@vger.kernel.org To: Ashwanth Goli Return-path: Received: from mail-pf0-f177.google.com ([209.85.192.177]:46059 "EHLO mail-pf0-f177.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751167AbeD2BGD (ORCPT ); Sat, 28 Apr 2018 21:06:03 -0400 In-Reply-To: <36807b4bda59b9145a69cc949facbb2b@codeaurora.org> Content-Language: en-US Sender: netdev-owner@vger.kernel.org List-ID: On 4/27/18 9:44 AM, Ashwanth Goli wrote: > On 2018-04-27 20:18, David Ahern wrote: >> On 4/27/18 5:02 AM, Ashwanth Goli wrote: >>> On 2018-04-26 17:21, Paolo Abeni wrote: >>>> Hi, >>>> >>>> [fixed CC list] >>>> >>>> On Wed, 2018-04-25 at 21:43 +0530, Ashwanth Goli wrote: >>>>> Hi Pablo, >>>> >>>> Actually I'm Paolo, but yours is a recurring mistake ;) >>>> >>>>> I am noticing an issue similar to the one reported by Alexis Perez >>>>> [Regression for ip6-in-ip4 IPsec tunnel in 4.14.16] >>>>> >>>>> In my IPsec setup outer MTU is set to 1280, ip6_setup_cork sees an MTU >>>>> less than IPV6_MIN_MTU because of the tunnel headers. -EINVAL is being >>>>> returned as a result of the MTU check that got added with below patch. >> >> If you know you are running ipsec over the link why are you setting the >> outer MTU to 1280? RFC 2460 suggests the fragmentation of packets for >> links with MTU < 1280 should be done below the IPv6 layer: >> >> 5. Packet Size Issues >> >>    IPv6 requires that every link in the internet have an MTU of 1280 >>    octets or greater.  On any link that cannot convey a 1280-octet >>    packet in one piece, link-specific fragmentation and reassembly must >>    be provided at a layer below IPv6. >> >>    Links that have a configurable MTU (for example, PPP links [RFC- >>    1661]) must be configured to have an MTU of at least 1280 octets; it >>    is recommended that they be configured with an MTU of 1500 octets or >>    greater, to accommodate possible encapsulations (i.e., tunneling) >>    without incurring IPv6-layer fragmentation. > > But is this not breaking point (b) from section 7.1 of RFC2473 since the > inner packet can be smaller than 1280. > > https://tools.ietf.org/html/rfc2473#section-7.1 I don't think so. Given how Linux works with ipsec (or my understanding of it), your proposed change seems ok to me.