FAST_IPSEC doesn't send ICMP frag needed

To: tech-net%netbsd.org@localhost
Subject: FAST_IPSEC doesn't send ICMP frag needed
From: Dave Huang <khym%azeotrope.org@localhost>
Date: Thu, 19 Dec 2013 22:26:42 -0600

It appears that (FAST_)IPSEC doesn't send ICMP fragmentation needed
when it gets a Don't Fragment packet that needs to be fragmented
because of encapsulation overhead. Beverly Schwartz posted an analysis
of the problem last year
<http://mail-index.netbsd.org/tech-net/2012/10/16/msg003674.html>, but
nobody said anything :(

Does anyone have thoughts about the proposed fix in that message? My
IPSEC tunnel isn't working right, probably due to AT&T lossage--
AFAICT, fragmented packets aren't making it out... tcpdump on my end
of the tunnel shows an ESP packet fragmented into two pieces being
sent out. However, only the first fragment makes it to the other end
of the tunnel; the second one is nowhere to be seen. Fragmented pings
(not in an IPSEC tunnel) aren't making it out either. I'd like to work
around it by not sending fragmented packets, but PMTUD is broken
because NetBSD isn't sending ICMP fragmentation needed.
-- 
Name: Dave Huang         |  Mammal, mammal / their names are called /
INet: khym%azeotrope.org@localhost |  they raise a paw / the bat, the cat /
FurryMUCK: Dahan         |  dolphin and dog / koala bear and hog -- TMBG
Dahan: Hani G Y+C 38 Y++ L+++ W- C++ T++ A+ E+ S++ V++ F- Q+++ P+ B+ PA+ PL++

Follow-Ups:
- Re: FAST_IPSEC doesn't send ICMP frag needed
  - From: Greg Troxel
- Re: FAST_IPSEC doesn't send ICMP frag needed
  - From: Dave Huang

Prev by Date: Re: BPF memstore and bpf_validate_ext()
Next by Date: Re: FAST_IPSEC doesn't send ICMP frag needed
Previous by Thread: ICMP_UNREACH_NEEDFRAG returns iface MTU instead of route?
Next by Thread: Re: FAST_IPSEC doesn't send ICMP frag needed
Indexes:

Home | Main Index | Thread Index | Old Index