On Mon, Jun 07, 2010 at 02:47:37PM +0200, Kai Krebber wrote:
> Hi!
>
>
> We have an Opensolaris 2009.6 - System acting as a router and
> terminating an IPSec-Tunnel. The IPSec-Tunnel obviously has an impact on
> the MTU.
> Some Internet servers do send large packets with DF bit set (typical
> PMTUD), but ignore the icmp 'dest unreachable / need to frag' - packets,
> Solaris sends out inreply (or maybe a firewall in front of the server
> blocks these icmp packets).
>
> So I'd rather accept suboptimal fragmentation than the situation, I
> currently have, i.e. the sender keeps on sending their too big packets
> and finally gives up.
>
> Not sure, how to tackle this.
>
> Since we can't parent everybody out there to please not block these icmp
> packets, we have to work around the issue.
>
> Ideally Solaris sends out the icmp type 3 code 4 as normal and if the
> same senders sends another packet with the same (too big) size (i.e. a
> simple retransmit), Opensolaris ignores the DF-bit and fragments the
> packet to get it thru the tunnel.
>
> How would I get there without rewriting the Solaris network stack? Maybe
> this problem is more common then I thought and there is already a
> workaround available?
Lots of poorly-configured firewalls drop PMTUD. :(
Have you considered explicitly lowering the MTU of your tunnel(s) ("ifconfig
ip.tun0 mtu 1376")? That way, the only nodes who need to worry about PathMTU
discovery are *internal* nodes, which you presumably have more control over?
Dan
_______________________________________________
networking-discuss mailing list
networking-discuss@opensolaris.org
