Subject: Re: ipip and gif
To: None <>
From: der Mouse <mouse@Rodents.Montreal.QC.CA>
List: tech-net
Date: 04/19/2000 13:42:16
>> I implemented a tunnel for my home netlink (I found I couldn't use
>> existing tunnel code; I can explain why if anyone cares)
> Did it have something to do with many, many sites blocking all ICMP
> packets, including "must fragment"?

No, though that is a problem - when a host trying to do MTU discovery
is behind such a misconfigured router, communication breaks down.  I've
tried writing to a few such; so far I've gotten only one response, from
a site saying "we used to but then we fixed it because of exactly the
problem you bring up - I don't know why you're still having trouble".
I offered to do what I could to help track down the problem, but never
got a reply to that.

No, the reasons I couldn't use existing tunnel code were:

- One of the inner tunnel addresses (my home end) is liable to change
   with no warning; somehow this has to be communicated to the other
   end so it knows where to send packets.

- The packets are signed.  (I could encrypt them as well, but haven't
   perceived a need yet.)

- There are actually two tunnels, decision between which is made based
   on the *source* address of the packet.  (For example,
   and are the same machine; if an outgoing packet has
   source address it goes down one tunnel, whereas if it
   has source address it goes down the other.)

There may have been others, but those are the ones I recall now.

					der Mouse

		     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B