Re: DTLS: incorrect understanding of MTU

[Michael Tüxen]

Hi Daniel,

for discussing IETF specifications, you might want to use the  
appropriate
IETF mailing list...
However, as stated in my other mail, I think the definition on the RFC  
is
correct. Your definition does only work for DTLS/UDP/IPv4 without using
IP options. In all other cases your definition is wrong: DTLS/SCTP,
DTLS/DCCP, and so on...

Best regards
Michael

On May 16, 2009, at 10:12 AM, Daniel Mentz wrote:

I'm wondering if there's also an error in RFC 4347 section 4.1.1:

"[...] the maximum application datagram size, which is the PMTU  
minus the DTLS per-record overhead [...]"

Shouldn't it be phrased like this:

the maximum application datagram size, which is the PMTU minus the  
IP per-packet overhead minus the UDP per-datagram overhead minus the  
DTLS per-record overhead

-Daniel

Daniel Mentz wrote:
I've got the impression that the DTLS part of OpenSSL is based on  
an incorrect understanding of the term MTU (Maximum Transmission  
Unit).
My understanding is that the MTU refers to the size of the IP  
packet including the IP header (usually 20 bytes) and the UDP  
header (usually 8 bytes) in case UDP is used. This means that I can  
transfer 1472 bytes of payload if the MTU is 1500 bytes.
Now, if I start openssl s_server with the following command line
./openssl s_server -dtls1 -no_ecdhe -timeout -cert large.pem -mtu  
1400
and monitor packets with wireshark I can see IP packets with a  
total length of 1428 bytes.
From looking at this I infere that OpenSSL interprets the MTU as  
the maximum payload size of an UDP packet.
If I get rid of the -mtu parameter, rely on Path MTU discovery and  
set the MTU of the outgoing interface to 1400 I don't get any  
communication going. But I do see an avalanche of "Destination  
unreachable (Fragmentation needed)" ICMP messages. I guess that  
this is due to the incorrect understanding of the MTU. OpenSSL  
appears to try sending larger packets than allowed by the PMTU.
Can anyone confirm this problem?
Thanks
-Daniel
______________________________________________________________________
OpenSSL Project                                 http:// 
www.openssl.org
User Support Mailing List                    openssl- 
us...@openssl.org
Automated List Manager                            
majord...@openssl.org

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org