On 4/27/18 9:44 AM, Ashwanth Goli wrote: > On 2018-04-27 20:18, David Ahern wrote: >> On 4/27/18 5:02 AM, Ashwanth Goli wrote: >>> On 2018-04-26 17:21, Paolo Abeni wrote: >>>> Hi, >>>> >>>> [fixed CC list] >>>> >>>> On Wed, 2018-04-25 at 21:43 +0530, Ashwanth Goli wrote: >>>>> Hi Pablo, >>>> >>>> Actually I'm Paolo, but yours is a recurring mistake ;) >>>> >>>>> I am noticing an issue similar to the one reported by Alexis Perez >>>>> [Regression for ip6-in-ip4 IPsec tunnel in 4.14.16] >>>>> >>>>> In my IPsec setup outer MTU is set to 1280, ip6_setup_cork sees an MTU >>>>> less than IPV6_MIN_MTU because of the tunnel headers. -EINVAL is being >>>>> returned as a result of the MTU check that got added with below patch. >> >> If you know you are running ipsec over the link why are you setting the >> outer MTU to 1280? RFC 2460 suggests the fragmentation of packets for >> links with MTU < 1280 should be done below the IPv6 layer: >> >> 5. Packet Size Issues >> >> IPv6 requires that every link in the internet have an MTU of 1280 >> octets or greater. On any link that cannot convey a 1280-octet >> packet in one piece, link-specific fragmentation and reassembly must >> be provided at a layer below IPv6. >> >> Links that have a configurable MTU (for example, PPP links [RFC- >> 1661]) must be configured to have an MTU of at least 1280 octets; it >> is recommended that they be configured with an MTU of 1500 octets or >> greater, to accommodate possible encapsulations (i.e., tunneling) >> without incurring IPv6-layer fragmentation. > > But is this not breaking point (b) from section 7.1 of RFC2473 since the > inner packet can be smaller than 1280. > > https://tools.ietf.org/html/rfc2473#section-7.1
I don't think so. Given how Linux works with ipsec (or my understanding of it), your proposed change seems ok to me.
