Re: DF bit processing in tunnelling devices

To: thorpej%zembu.com@localhost
Subject: Re: DF bit processing in tunnelling devices
From: Michael Graff <explorer%flame.org@localhost>
Date: 06 Jul 2000 08:43:34 -0700

Jason R Thorpe <thorpej%zembu.com@localhost> writes:

>  >    with "copy" behavior, you will see more ICMP too big message, which
>  >    can choke in environment with icmp filtered (bad practice, but
>  >    we see too many of this).  good thing is that we can get better
>  >    performance if everyone does path MTU discovery right.
>  >    - your tunnel router got 1500bytes of native IPv4 packet, with
>  >      DF bit set
>  >    - gif_output encapsulates it, copy DF bit (now 1520bytes)
>  >    - ip_output chokes and sends ICMP too big message

I saw this constantly when I tried to use a GRE tunnel to work.  Even
"good" firewall books say things like "all ICMP should be filtered"
mostly because people seem to forget about MTU discovery.

Black hole detection doesn't help, since the _other_ end doesn't do
it.  I suspect the other end is WinNoT.

I send a small http request, resulting in a large transfer back.  The
transfer hits the GRE DF processing, and since it never gets the ICMP
message back, and doesn't do blackhole detection, it hangs.

Contacting the person running the firewall proves to be useless --
either they say "no way, ICMP is eeeevil" or "I'm calling the FBI
since you're probing my machines!"

-Michael

References:
- CVS commit: syssrc
  - From: Jason R Thorpe
- DF bit processing in tunnelling devices
  - From: itojun
- Re: DF bit processing in tunnelling devices
  - From: Jason R Thorpe

Prev by Date: CVS commit: pkgsrc
Next by Date: CVS commit: pkgsrc
Previous by Thread: Re: DF bit processing in tunnelling devices
Next by Thread: CVS commit: basesrc
Indexes:

Home | Main Index | Thread Index | Old Index