Subject: kern/11429: IPv6 UDP NFS may not work across routers + smaller MTU links
To: None <gnats-bugs@gnats.netbsd.org>
From: None <itojun@itojun.org>
List: netbsd-bugs
Date: 11/05/2000 23:32:11
>Number:         11429
>Category:       kern
>Synopsis:       IPv6 UDP NFS may not work across routers + smaller MTU links
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sun Nov 05 23:32:00 PST 2000
>Closed-Date:
>Last-Modified:
>Originator:     Jun-ichiro itojun Hagino
>Release:        1.5I, and 1.5
>Organization:
	itojun.org
>Environment:
	
System: NetBSD starfruit.itojun.org 1.5I NetBSD 1.5I (STARFRUIT) #262: Mon Nov 6 09:40:56 JST 2000 itojun@starfruit.itojun.org:/usr/home/itojun/NetBSD/src/sys/arch/i386/compile/STARFRUIT i386

>Description:
	we have added some validation code against ICMPv6 "too big" messages to
	avoid DoS attack from malicious parties.  due to the validation rule,
	IPv6 path mtu discovery works only for the following cases:
	- TCP
	- connected UDP
	- IPsec ESP/AH
	as it is mandatory to perform pmtud on IPv6, it is expected that
	there are some protocols that chokes with the above validation rules.

	one of the most annoying one would be IPv6 UDP NFS.  by default,
	we use non-connected UDP socket for UDP NFS, so we will not be able to
	perform pmtud for IPv6 UDP NFS.  even if we use connected UDP socket
	(mount_nfs -C), server -> client direction still uses non-connected
	UDP socket and will choke.

	the problem happens only under the following conditions:
	- IPv6 UDP NFS mount across distant subnets
	- there's a link with smaller MTU between client and server
>How-To-Repeat:
>Fix:
	workaround: use mount_nfs -T (use TCP transport).
>Release-Note:
>Audit-Trail:
>Unformatted: