Subject: Re: IP-IP v4 tunnel?
To: Mike M. Volokhov <mishka@netbsd.org>
From: Peter Eisch <peter@boku.net>
List: netbsd-users
Date: 12/26/2006 21:33:14
On 12/20/06 12:39 AM, "Mike M. Volokhov" <mishka@netbsd.org> wrote:

> Peter Eisch <peter@boku.net> wrote:
>> 
>> I tried using gif but my netbsd 3.0 upstream started dropping all the "big"
>> packets for the tunnel and returning:
>>  icmp 36: <tun-dest> unreachable - need to frag for IP
> 
> It is good. Your <tun-dest> just asking <src> to lower packet size.
> This is how path MTU discovery works. But please be sure your
> firewalls are opened for those ICMP messages.
> 

Here is a fragment of my ipf.conf:

block out log quick on wm0 all head 2
 block out   quick from 192.168.0.0/16 to any            group 2
 block out   quick from 172.16.0.0/12 to any             group 2
 block out   quick from 10.0.0.0/8 to any                group 2
 block out   quick from 127.0.0.0/8 to any               group 2
 block out   quick from 0.0.0.0/8 to any                 group 2
 block out   quick from 169.254.0.0/16 to any            group 2
 block out   quick from 192.0.2.0/24 to any              group 2
 block out   quick from 204.152.64.0/23 to any           group 2
 block out   quick from 224.0.0.0/3 to any               group 2
 pass  out log quick proto icmp from any to any group 2 (set-tag=999)

>> All the MTUs are standard: 1500 for Internet, 1280 on the gif tunnel.  The
>> routing was find -- everything worked very well for ssh and everything that
>> didn't approach the gif MTU.
> 
> So any particular problems here?
> 

Below I've replaced the real IP addr with SVR, CLIENT and FW for the
Internet side IP of the system nearest the Internet on the tunnel.

With tcpdump I see:

20:59:10.146020 IP (tos 0x0, ttl 115, id 57089, offset 0, flags [DF], \
     length: 1431) SVR.80 > CLIENT.40033: FP [tcp sum ok] 519:1910(1391) \
    ack 420 win 65116
20:59:10.146067 IP (tos 0x0, ttl 255, id 46179, offset 0, flags [none], \
     length: 56) FW > SVR: icmp 36: CLIENT unreachable - need to frag for \
    IP  (tos 0x0, ttl 114, id 57089, offset 0, flags [DF], length: 1431, \
    bad cksum 99ca (->9aca)!) SVR.80 > CLIENT.40033: [|tcp]

In my ipfilter log I get:

Dec 26 21:22:40 sysname ipmon[281]: 21:22:40.220518 wm0 @2:10 p FW[FW IP] ->
SERVER[SERVER IP] PR icmp len 20 56 icmp unreach/needfrag for SERVER[SERVER
IP],www - CLIENT[CLIENT IP],40120 PR tcp len 20 1431 OUT log-tag 999
Dec 26 21:22:44 sysname ipmon[281]: 21:22:43.501768 wm0 @2:10 p FW[FW IP] ->
SERVER[SERVER IP] PR icmp len 20 56 icmp unreach/needfrag for SERVER[SERVER
IP],www - CLIENT[CLIENT IP],40122 PR tcp len 20 1300 OUT log-tag 999
Dec 26 21:22:52 sysname ipmon[281]: 21:22:52.033229 wm0 @2:10 p FW[FW IP] ->
SERVER[SERVER IP] PR icmp len 20 56 icmp unreach/needfrag for SERVER[SERVER
IP],www - CLIENT[CLIENT IP],40120 PR tcp len 20 1431 OUT log-tag 999

So I'm pretty sure that my ICMP packets are getting out.

If I raise the mtu on the gif interfaces to 1500, _everything_ works great
at the application layer.  This obviously introduces fragments, but if it's
the only way that works I guess I can keep it.

Ideas?

peter