RE: IPsec packet dropping due to MTU problem (was RE: XFRM / DF Flag / Fragmentation Needed)

[DuBuisson, Thomas]

>> After A establishes an SSH connection with C and tries to transfer the
>> patches the size of a packet from A destined for C quickly reaches 1500
>> while the MTU
>> to A is ~1400.  At this point A sends an ICMP 'Fragmentation Needed'
>> packet to its self (see xfrm_output.c xfrm4_tunnel_check_size(...)).  It
>> seems this packet is never acted on - it just disappears into the
>> loopback interface.  The proper mtu trial/error process never takes
>> place.
>There is a known problem in xfrm4_tunnel_check_size if your underlying
>path MTU is a multiple of 8.  So if your path MTU is 1480, you'll need
>to lower it to 1476 before it will work.
The problem occurs even when the PMTU is any value, 1476 would be one
example.
While I don't quite understand the xfrm4_tunnel_check_size bug by looking at
the code but
I have instrumented the function and don't see any behavior I disagree with
in the tested 
cases.  

It seems to me that this problem is more with Linux ignoring the received
ICMP error.  
ICMP messages from a host to itself, imh observation, aren't properly
handled and that is where the problem I have encountered is coming from.

Thomas
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/