netbsd-bugs: kern/17117: NetBSD's MSS clamping code is insufficient

Subject: kern/17117: NetBSD's MSS clamping code is insufficient
To: None <gnats-bugs@gnats.netbsd.org>
From: Matthias Scheler <tron@netbsd.org>
List: netbsd-bugs
Date: 05/31/2002 14:52:11
>Number:         17117
>Category:       kern
>Synopsis:       NetBSD's MSS clamping code is insufficient
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri May 31 05:53:01 PDT 2002
>Closed-Date:
>Last-Modified:
>Originator:     
>Release:        NetBSD 1.6_BETA1 2002-05-31 sources
>Organization:
Matthias Scheler                                  http://scheler.de/~matthias/
>Environment:
System: NetBSD colwyn.zhadum.de 1.6_BETA1 NetBSD 1.6_BETA1 (COLWYN) #0: Fri May 31 11:41:39 CEST 2002 tron@colwyn.zhadum.de:/src/sys/compile/COLWYN i386
Architecture: i386
Machine: i386

>Description:
My network connectivity looks like this:

	Internet
	  |
	DSL line	PPP over Ethernet, MTU 1492
	  |
	Gateway		NetBSD 1.6_BETA1 using pppoe(4) and ipl(4)
	  |
	LAN		Ethernet, MTU 1500
	  |
	Workstation	NetBSD 1.6A

The workstation has serious network connectivity problems after I switched
from the "rp-pppoe" package to pppoe(4). I'm not sure if all of the problems
listed below existed from the beginning but they do now:

1.) FTP connects to "ftp.netbsd.org" and other servers got stuck during the
    initial login messages. This is *not* about problems with active FTP
    connections I couldn't even log in.

2.) SSH connections with big amount of incoming traffic get stuck, too.
    If I e.g. use "scp ftp.netbsd.org:/usr/bin/vi ." on the work station
    it gets stuck when the actual transfer begins. So it is really *not*
    a problem related to the FTP proxy.

Here is the "ipnat.conf" from the gateway:

map ppp0 192.168.0.0/16 -> 0/32 proxy port ftp ftp/tcp mssclamp 1452
map ppp0 192.168.0.0/16 -> 0/32 portmap tcp/udp 16384:32767 mssclamp 1452
map ppp0 192.168.0.0/16 -> 0/32 mssclamp 1452

Here is the "tcpdump" of a failed FTP connection to "ftp.netbsd.org":

14:23:36.216126 PPPoE  [ses 0x18e8] pD953C6B5.dip.t-dialin.net.65528 > ftp.netbsd.org.ftp: S 605420961:605420961(0) win 16384 <mss 1452,nop,wscale 0,nop,nop,timestamp 0 0>
14:23:36.453208 PPPoE  [ses 0x18e8] ftp.netbsd.org.ftp > pD953C6B5.dip.t-dialin.net.65528: S 221086434:221086434(0) ack 605420962 win 32768 <mss 1460,nop,wscale 0,nop,nop,timestamp 6300721 0>
14:23:36.453525 PPPoE  [ses 0x18e8] pD953C6B5.dip.t-dialin.net.65528 > ftp.netbsd.org.ftp: . ack 1 win 17520 <nop,nop,timestamp 0 6300721>
14:23:37.091418 PPPoE  [ses 0x18e8] ftp.netbsd.org.ftp > pD953C6B5.dip.t-dialin.net.65528: P 1:62(61) ack 1 win 33580 <nop,nop,timestamp 6300722 0> [tos 0x10] 
14:23:37.093254 PPPoE  [ses 0x18e8] pD953C6B5.dip.t-dialin.net.65528 > ftp.netbsd.org.ftp: P 1:17(16) ack 62 win 17520 <nop,nop,timestamp 2 6300722> [tos 0x10] 
14:23:37.340885 PPPoE  [ses 0x18e8] ftp.netbsd.org.ftp > pD953C6B5.dip.t-dialin.net.65528: P 62:111(49) ack 17 win 33580 <nop,nop,timestamp 6300723 2> [tos 0x10] 
14:23:37.341611 PPPoE  [ses 0x18e8] pD953C6B5.dip.t-dialin.net.65528 > ftp.netbsd.org.ftp: P 17:29(12) ack 111 win 17520 <nop,nop,timestamp 2 6300723> [tos 0x10] 
14:23:37.579588 PPPoE  [ses 0x18e8] ftp.netbsd.org.ftp > pD953C6B5.dip.t-dialin.net.65528: P 111:117(6) ack 29 win 33580 <nop,nop,timestamp 6300723 2> [tos 0x10] 
14:23:37.607943 PPPoE  [ses 0x18e8] ftp.netbsd.org.ftp > pD953C6B5.dip.t-dialin.net.65528: . 117:829(712) ack 29 win 33580 <nop,nop,timestamp 6300723 2> (frag 10733:744@0+) [tos 0x10] 
14:23:37.616108 PPPoE  [ses 0x18e8] ftp.netbsd.org > pD953C6B5.dip.t-dialin.net: (frag 10733:736@744) [tos 0x10] 
14:23:37.779029 PPPoE  [ses 0x18e8] pD953C6B5.dip.t-dialin.net.65528 > ftp.netbsd.org.ftp: . ack 117 win 17520 <nop,nop,timestamp 3 6300723> [tos 0x10] 
14:23:39.179585 PPPoE  [ses 0x18e8] ftp.netbsd.org.ftp > pD953C6B5.dip.t-dialin.net.65528: . 117:829(712) ack 29 win 33580 <nop,nop,timestamp 6300726 2> (frag 11249:744@0+) [tos 0x10] 
14:23:39.187885 PPPoE  [ses 0x18e8] ftp.netbsd.org > pD953C6B5.dip.t-dialin.net: (frag 11249:736@744) [tos 0x10] 
14:23:41.181574 PPPoE  [ses 0x18e8] ftp.netbsd.org.ftp > pD953C6B5.dip.t-dialin.net.65528: . 117:829(712) ack 29 win 33580 <nop,nop,timestamp 6300730 2> (frag 11892:744@0+) [tos 0x10] 
14:23:41.195265 PPPoE  [ses 0x18e8] ftp.netbsd.org > pD953C6B5.dip.t-dialin.net: (frag 11892:736@744) [tos 0x10] 
14:23:45.174976 PPPoE  [ses 0x18e8] ftp.netbsd.org.ftp > pD953C6B5.dip.t-dialin.net.65528: . 117:829(712) ack 29 win 33580 <nop,nop,timestamp 6300738 2> (frag 13162:744@0+) [tos 0x10] 
14:23:45.183013 PPPoE  [ses 0x18e8] ftp.netbsd.org > pD953C6B5.dip.t-dialin.net: (frag 13162:736@744) [tos 0x10] 
14:23:53.174110 PPPoE  [ses 0x18e8] ftp.netbsd.org.ftp > pD953C6B5.dip.t-dialin.net.65528: . 117:829(712) ack 29 win 33580 <nop,nop,timestamp 6300754 2> (frag 15798:744@0+) [tos 0x10] 
14:23:53.182351 PPPoE  [ses 0x18e8] ftp.netbsd.org > pD953C6B5.dip.t-dialin.net: (frag 15798:736@744) [tos 0x10] 
14:24:09.169589 PPPoE  [ses 0x18e8] ftp.netbsd.org.ftp > pD953C6B5.dip.t-dialin.net.65528: . 117:829(712) ack 29 win 33580 <nop,nop,timestamp 6300786 2> (frag 21302:744@0+) [tos 0x10] 
14:24:09.177743 PPPoE  [ses 0x18e8] ftp.netbsd.org > pD953C6B5.dip.t-dialin.net: (frag 21302:736@744) [tos 0x10] 
14:24:37.589560 PPPoE  [ses 0x18e8] pD953C6B5.dip.t-dialin.net.65528 > ftp.netbsd.org.ftp: F 29:29(0) ack 117 win 17520 <nop,nop,timestamp 123 6300723> [tos 0x10] 
14:24:37.820823 PPPoE  [ses 0x18e8] ftp.netbsd.org.ftp > pD953C6B5.dip.t-dialin.net.65528: . ack 30 win 33580 <nop,nop,timestamp 6300844 123> [tos 0x10] 
14:24:41.167826 PPPoE  [ses 0x18e8] ftp.netbsd.org.ftp > pD953C6B5.dip.t-dialin.net.65528: . 117:829(712) ack 30 win 33580 <nop,nop,timestamp 6300850 123> (frag 32071:744@0+) [tos 0x10] 
14:24:41.176088 PPPoE  [ses 0x18e8] ftp.netbsd.org > pD953C6B5.dip.t-dialin.net: (frag 32071:736@744) [tos 0x10] 

And here is a successful session using the "rp-pppoe" package:

14:20:51.205591 pD9E58F94.dip.t-dialin.net.65529 > ftp.netbsd.org.ftp: S 3649106720:3649106720(0) win 16384 <mss 1452,nop,wscale 0,nop,nop,timestamp 0 0>
14:20:51.442677 ftp.netbsd.org.ftp > pD9E58F94.dip.t-dialin.net.65529: S 2464405853:2464405853(0) ack 3649106721 win 32768 <mss 1412,nop,wscale 0,nop,nop,timestamp 6300391 0>
14:20:51.442999 pD9E58F94.dip.t-dialin.net.65529 > ftp.netbsd.org.ftp: . ack 1 win 17520 <nop,nop,timestamp 0 6300391>
14:20:51.707736 ftp.netbsd.org.ftp > pD9E58F94.dip.t-dialin.net.65529: P 1:62(61) ack 1 win 33580 <nop,nop,timestamp 6300392 0> [tos 0x10] 
14:20:51.710472 pD9E58F94.dip.t-dialin.net.65529 > ftp.netbsd.org.ftp: P 1:17(16) ack 62 win 17520 <nop,nop,timestamp 1 6300392> [tos 0x10] 
14:20:51.941199 ftp.netbsd.org.ftp > pD9E58F94.dip.t-dialin.net.65529: P 62:111(49) ack 17 win 33580 <nop,nop,timestamp 6300392 1> [tos 0x10] 
14:20:51.941949 pD9E58F94.dip.t-dialin.net.65529 > ftp.netbsd.org.ftp: P 17:29(12) ack 111 win 17520 <nop,nop,timestamp 1 6300392> [tos 0x10] 
14:20:52.195435 ftp.netbsd.org.ftp > pD9E58F94.dip.t-dialin.net.65529: P 111:117(6) ack 29 win 33580 <nop,nop,timestamp 6300393 1> [tos 0x10] 
14:20:52.217245 ftp.netbsd.org.ftp > pD9E58F94.dip.t-dialin.net.65529: . 117:1529(1412) ack 29 win 33580 <nop,nop,timestamp 6300393 1> [tos 0x10] 
14:20:52.217663 pD9E58F94.dip.t-dialin.net.65529 > ftp.netbsd.org.ftp: . ack 1529 win 16108 <nop,nop,timestamp 2 6300393> [tos 0x10] 
14:20:52.217684 pD9E58F94.dip.t-dialin.net.65529 > ftp.netbsd.org.ftp: . ack 1529 win 17132 <nop,nop,timestamp 2 6300393> [tos 0x10] 
14:20:52.461361 ftp.netbsd.org.ftp > pD9E58F94.dip.t-dialin.net.65529: P 1529:2490(961) ack 29 win 33580 <nop,nop,timestamp 6300393 1> [tos 0x10] 
14:20:52.461750 pD9E58F94.dip.t-dialin.net.65529 > ftp.netbsd.org.ftp: . ack 2490 win 17520 <nop,nop,timestamp 2 6300393> [tos 0x10] 
14:20:52.463326 pD9E58F94.dip.t-dialin.net.65529 > ftp.netbsd.org.ftp: P 29:35(6) ack 2490 win 17520 <nop,nop,timestamp 2 6300393> [tos 0x10] 
14:20:52.708471 ftp.netbsd.org.ftp > pD9E58F94.dip.t-dialin.net.65529: P 2490:2539(49) ack 35 win 33580 <nop,nop,timestamp 6300394 2> [tos 0x10] 
14:20:52.709213 pD9E58F94.dip.t-dialin.net.65529 > ftp.netbsd.org.ftp: P 35:41(6) ack 2539 win 17520 <nop,nop,timestamp 3 6300394> [tos 0x10] 
14:20:52.944651 ftp.netbsd.org.ftp > pD9E58F94.dip.t-dialin.net.65529: P 2539:2563(24) ack 41 win 33580 <nop,nop,timestamp 6300394 3> [tos 0x10] 
14:20:53.137827 pD9E58F94.dip.t-dialin.net.65529 > ftp.netbsd.org.ftp: . ack 2563 win 17520 <nop,nop,timestamp 4 6300394> [tos 0x10] 
14:20:53.361186 ftp.netbsd.org.ftp > pD9E58F94.dip.t-dialin.net.65529: P 2563:2649(86) ack 41 win 33580 <nop,nop,timestamp 6300395 3> [tos 0x10] 
14:20:53.361603 pD9E58F94.dip.t-dialin.net.65529 > ftp.netbsd.org.ftp: P 41:46(5) ack 2649 win 17520 <nop,nop,timestamp 4 6300395> [tos 0x10] 
14:20:53.588398 ftp.netbsd.org.ftp > pD9E58F94.dip.t-dialin.net.65529: P 2649:2684(35) ack 46 win 33580 <nop,nop,timestamp 6300395 4> [tos 0x10] 
14:20:53.588762 pD9E58F94.dip.t-dialin.net.65529 > ftp.netbsd.org.ftp: P 46:54(8) ack 2684 win 17520 <nop,nop,timestamp 5 6300395> [tos 0x10] 
14:20:53.831499 ftp.netbsd.org.ftp > pD9E58F94.dip.t-dialin.net.65529: P 2684:2704(20) ack 54 win 33580 <nop,nop,timestamp 6300396 5> [tos 0x10] 
14:20:54.027823 pD9E58F94.dip.t-dialin.net.65529 > ftp.netbsd.org.ftp: . ack 2704 win 17520 <nop,nop,timestamp 5 6300396> [tos 0x10] 
14:20:55.705825 pD9E58F94.dip.t-dialin.net.65529 > ftp.netbsd.org.ftp: P 54:60(6) ack 2704 win 17520 <nop,nop,timestamp 9 6300396> [tos 0x10] 
14:20:55.937524 ftp.netbsd.org.ftp > pD9E58F94.dip.t-dialin.net.65529: P 2704:2710(6) ack 60 win 33580 <nop,nop,timestamp 6300400 9> [tos 0x10] 
14:20:55.940951 ftp.netbsd.org.ftp > pD9E58F94.dip.t-dialin.net.65529: FP 2710:2896(186) ack 60 win 33580 <nop,nop,timestamp 6300400 9> [tos 0x10] 
14:20:55.941170 pD9E58F94.dip.t-dialin.net.65529 > ftp.netbsd.org.ftp: . ack 2897 win 17334 <nop,nop,timestamp 9 6300400> [tos 0x10] 
14:20:55.941734 pD9E58F94.dip.t-dialin.net.65529 > ftp.netbsd.org.ftp: F 60:60(0) ack 2897 win 17520 <nop,nop,timestamp 9 6300400> [tos 0x10] 
14:20:56.185750 ftp.netbsd.org.ftp > pD9E58F94.dip.t-dialin.net.65529: . ack 61 win 33580 <nop,nop,timestamp 6300401 9> [tos 0x10] 

A noticable difference is the MSS negotiation:

pppoe(4):
14:23:36.216126 PPPoE  [ses 0x18e8] pD953C6B5.dip.t-dialin.net.65528 > ftp.netbsd.org.ftp: S 605420961:605420961(0) win 16384 <mss 1452,nop,wscale 0,nop,nop,timestamp 0 0>
14:23:36.453208 PPPoE  [ses 0x18e8] ftp.netbsd.org.ftp > pD953C6B5.dip.t-dialin.net.65528: S 221086434:221086434(0) ack 605420962 win 32768 <mss 1460,nop,wscale 0,nop,nop,timestamp 6300721 0>

rp-pppoe:
14:20:51.205591 pD9E58F94.dip.t-dialin.net.65529 > ftp.netbsd.org.ftp: S 3649106720:3649106720(0) win 16384 <mss 1452,nop,wscale 0,nop,nop,timestamp 0 0>
14:20:51.442677 ftp.netbsd.org.ftp > pD9E58F94.dip.t-dialin.net.65529: S 2464405853:2464405853(0) ack 3649106721 win 32768 <mss 1412,nop,wscale 0,nop,nop,timestamp 6300391 0>

It looks like our kernel MSS clamping support should clamp the MSS in
both directions but fails to do so.

>How-To-Repeat:

>Fix:
Using the "rp-pppoe" package fixes the problem.
>Release-Note:
>Audit-Trail:
>Unformatted: