[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: linux-ipsec: cornered: MTU and fragmentation bugs

[ NOTICE!  This list will be hosted at lists.tislabs.com as of March 26.
There is no need to resubscribe, if you are on the list, you will remain
on it.  Just begin sending posts, and any administrative requests to
lists.tislabs.com as of now.  List mail to tis.com will cease to be
delivered as of March 26, 1999.  ]

On Wed, 24 Mar 1999, it was written:

>> I'm surprised that the Linux kernel (2.0) is not sending ICMP
>> "fragmentation required and DF set" responses.  I hope this is fixed
>I am not aware of any circumstances where Linux does not generate
>the appropriate messages. I think people would have noticed before
>two years ago if it was doing this wrong.

Ok, here we go...I'm still new to all of this but this is how I was able to
interpret it...I'll gladly take criticism too so please give me plenty of it
if I'm dead wrong here.

Indeed Linux does generate "Fragmentation needed but DF bit set"
messages--I've seen them when I had the hardest time with a Path MTU blackhole
that affected the entire ISP I worked for at the time, and my Linux (2.0.3x)
box was the best test environment I could conjure up.  The problem is when you
have an intermediate router or firewall that isn't generating/passing the ICMP
messages on to the next hop...

My problem addressing the issue is that I didn't think that MSS's can be set
up differently for each half of the connection, e.g., my MSS from my modem to
the terminal server is set to 1460, but from the terminal server to my modem
it'ss set up at 966.  Therefore, the terminal server was holding up the
connections.  Actually, I believe that the correct way to state this is that
you can have a different MRU and MTU altogether and they don't have to match.  
Also, MRU's tend to be negotiable; MTU's tend not to be negotiable.  
Therefore if I've negotiated an MRU of 1500, but the terminal server has an
MTU of 1006 then the Frag warnings are sent the other direction.

The firewall on the other end (or commonly, IP Masquerading software) doesn't
forward on the ICMP gripe.  So we're not discussing whether Linux generates
these ICMP messages; we're discussing how to set up your IP Masquerading
software (or firewall).  Most ICMP messages are fairly useful, and therefore
I'd only explicitly restrict incoming ICMP echo requests and perhaps outgoing
ICMP host unreachable messages.

As for tunnelling, I've never run across an path MTU black hole across a
tunnel.  I had to use Windows NT's PPTP (hunk-o-junk) to do it, but while
everyone else dialing into a living, breathing terminal server had the MTU
issues, the people setting up VPN's had none.  Of couse, the MRU and MTU of
the Windoze NT box was hard coded to 1500 as well...

    +------------- Greg Swallow ---- djskinna@bunkie.indy.net -------------+
    |Diplomacy is the art of saying "nice doggy" until you can find a rock.|