Subject: Re: ipip and gif
To: None <firstname.lastname@example.org>
From: der Mouse <mouse@Rodents.Montreal.QC.CA>
Date: 04/19/2000 13:42:16
>> I implemented a tunnel for my home netlink (I found I couldn't use
>> existing tunnel code; I can explain why if anyone cares)
> Did it have something to do with many, many sites blocking all ICMP
> packets, including "must fragment"?
No, though that is a problem - when a host trying to do MTU discovery
is behind such a misconfigured router, communication breaks down. I've
tried writing to a few such; so far I've gotten only one response, from
a site saying "we used to but then we fixed it because of exactly the
problem you bring up - I don't know why you're still having trouble".
I offered to do what I could to help track down the problem, but never
got a reply to that.
No, the reasons I couldn't use existing tunnel code were:
- One of the inner tunnel addresses (my home end) is liable to change
with no warning; somehow this has to be communicated to the other
end so it knows where to send packets.
- The packets are signed. (I could encrypt them as well, but haven't
perceived a need yet.)
- There are actually two tunnels, decision between which is made based
on the *source* address of the packet. (For example, 188.8.131.52
and 184.108.40.206 are the same machine; if an outgoing packet has
source address 220.127.116.11 it goes down one tunnel, whereas if it
has source address 18.104.22.168 it goes down the other.)
There may have been others, but those are the ones I recall now.
7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B