Re: ip6-in-ip{4,6} ipsec tunnel issues with 1280 MTU
On 4/27/18 9:44 AM, Ashwanth Goli wrote: > On 2018-04-27 20:18, David Ahern wrote: >> On 4/27/18 5:02 AM, Ashwanth Goli wrote: >>> On 2018-04-26 17:21, Paolo Abeni wrote: Hi, [fixed CC list] On Wed, 2018-04-25 at 21:43 +0530, Ashwanth Goli wrote: > Hi Pablo, Actually I'm Paolo, but yours is a recurring mistake ;) > I am noticing an issue similar to the one reported by Alexis Perez > [Regression for ip6-in-ip4 IPsec tunnel in 4.14.16] > > In my IPsec setup outer MTU is set to 1280, ip6_setup_cork sees an MTU > less than IPV6_MIN_MTU because of the tunnel headers. -EINVAL is being > returned as a result of the MTU check that got added with below patch. >> >> If you know you are running ipsec over the link why are you setting the >> outer MTU to 1280? RFC 2460 suggests the fragmentation of packets for >> links with MTU < 1280 should be done below the IPv6 layer: >> >> 5. Packet Size Issues >> >> IPv6 requires that every link in the internet have an MTU of 1280 >> octets or greater. On any link that cannot convey a 1280-octet >> packet in one piece, link-specific fragmentation and reassembly must >> be provided at a layer below IPv6. >> >> Links that have a configurable MTU (for example, PPP links [RFC- >> 1661]) must be configured to have an MTU of at least 1280 octets; it >> is recommended that they be configured with an MTU of 1500 octets or >> greater, to accommodate possible encapsulations (i.e., tunneling) >> without incurring IPv6-layer fragmentation. > > But is this not breaking point (b) from section 7.1 of RFC2473 since the > inner packet can be smaller than 1280. > > https://tools.ietf.org/html/rfc2473#section-7.1 I don't think so. Given how Linux works with ipsec (or my understanding of it), your proposed change seems ok to me.
Re: ip6-in-ip{4,6} ipsec tunnel issues with 1280 MTU
On 2018-04-27 20:18, David Ahern wrote: On 4/27/18 5:02 AM, Ashwanth Goli wrote: On 2018-04-26 17:21, Paolo Abeni wrote: Hi, [fixed CC list] On Wed, 2018-04-25 at 21:43 +0530, Ashwanth Goli wrote: Hi Pablo, Actually I'm Paolo, but yours is a recurring mistake ;) I am noticing an issue similar to the one reported by Alexis Perez [Regression for ip6-in-ip4 IPsec tunnel in 4.14.16] In my IPsec setup outer MTU is set to 1280, ip6_setup_cork sees an MTU less than IPV6_MIN_MTU because of the tunnel headers. -EINVAL is being returned as a result of the MTU check that got added with below patch. If you know you are running ipsec over the link why are you setting the outer MTU to 1280? RFC 2460 suggests the fragmentation of packets for links with MTU < 1280 should be done below the IPv6 layer: 5. Packet Size Issues IPv6 requires that every link in the internet have an MTU of 1280 octets or greater. On any link that cannot convey a 1280-octet packet in one piece, link-specific fragmentation and reassembly must be provided at a layer below IPv6. Links that have a configurable MTU (for example, PPP links [RFC- 1661]) must be configured to have an MTU of at least 1280 octets; it is recommended that they be configured with an MTU of 1500 octets or greater, to accommodate possible encapsulations (i.e., tunneling) without incurring IPv6-layer fragmentation. But is this not breaking point (b) from section 7.1 of RFC2473 since the inner packet can be smaller than 1280. https://tools.ietf.org/html/rfc2473#section-7.1
Re: ip6-in-ip{4,6} ipsec tunnel issues with 1280 MTU
On 4/27/18 5:02 AM, Ashwanth Goli wrote: > On 2018-04-26 17:21, Paolo Abeni wrote: >> Hi, >> >> [fixed CC list] >> >> On Wed, 2018-04-25 at 21:43 +0530, Ashwanth Goli wrote: >>> Hi Pablo, >> >> Actually I'm Paolo, but yours is a recurring mistake ;) >> >>> I am noticing an issue similar to the one reported by Alexis Perez >>> [Regression for ip6-in-ip4 IPsec tunnel in 4.14.16] >>> >>> In my IPsec setup outer MTU is set to 1280, ip6_setup_cork sees an MTU >>> less than IPV6_MIN_MTU because of the tunnel headers. -EINVAL is being >>> returned as a result of the MTU check that got added with below patch. If you know you are running ipsec over the link why are you setting the outer MTU to 1280? RFC 2460 suggests the fragmentation of packets for links with MTU < 1280 should be done below the IPv6 layer: 5. Packet Size Issues IPv6 requires that every link in the internet have an MTU of 1280 octets or greater. On any link that cannot convey a 1280-octet packet in one piece, link-specific fragmentation and reassembly must be provided at a layer below IPv6. Links that have a configurable MTU (for example, PPP links [RFC- 1661]) must be configured to have an MTU of at least 1280 octets; it is recommended that they be configured with an MTU of 1500 octets or greater, to accommodate possible encapsulations (i.e., tunneling) without incurring IPv6-layer fragmentation.
Re: ip6-in-ip{4,6} ipsec tunnel issues with 1280 MTU
On 2018-04-26 17:21, Paolo Abeni wrote: Hi, [fixed CC list] On Wed, 2018-04-25 at 21:43 +0530, Ashwanth Goli wrote: Hi Pablo, Actually I'm Paolo, but yours is a recurring mistake ;) I am noticing an issue similar to the one reported by Alexis Perez [Regression for ip6-in-ip4 IPsec tunnel in 4.14.16] In my IPsec setup outer MTU is set to 1280, ip6_setup_cork sees an MTU less than IPV6_MIN_MTU because of the tunnel headers. -EINVAL is being returned as a result of the MTU check that got added with below patch. https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/net/ipv6/ip6_output.c?h=v4.14.34=8278804e05f6bcfe3fdfea4a404020752ead15a6 Can we remove this MTU check since your recent patch [ipv6: the entire IPv6 header chain must fit the first fragment] fixes a similar issue? AFAICS, RFC 2473 implies we can have MTU below 1280 for tunnel devices so we can probably relax the MTU check for such devices, but I think we would still need it in the general case. Cheers, Paolo Should I send out the following change as a patch? diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c index 2e891d2..c4c3313 100644 --- a/net/ipv6/ip6_output.c +++ b/net/ipv6/ip6_output.c @@ -1235,7 +1235,7 @@ static int ip6_setup_cork(struct sock *sk, struct inet_cork_full *cork, if (np->frag_size) mtu = np->frag_size; } -if (mtu < IPV6_MIN_MTU) + if (!(rt->dst.flags & DST_XFRM_TUNNEL) && mtu < IPV6_MIN_MTU) return -EINVAL; cork->base.fragsize = mtu; if (dst_allfrag(xfrm_dst_path(>dst)))
Re: ip6-in-ip{4,6} ipsec tunnel issues with 1280 MTU
Hi, [fixed CC list] On Wed, 2018-04-25 at 21:43 +0530, Ashwanth Goli wrote: > Hi Pablo, Actually I'm Paolo, but yours is a recurring mistake ;) > I am noticing an issue similar to the one reported by Alexis Perez > [Regression for ip6-in-ip4 IPsec tunnel in 4.14.16] > > In my IPsec setup outer MTU is set to 1280, ip6_setup_cork sees an MTU > less than IPV6_MIN_MTU because of the tunnel headers. -EINVAL is being > returned as a result of the MTU check that got added with below patch. > > https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/net/ipv6/ip6_output.c?h=v4.14.34=8278804e05f6bcfe3fdfea4a404020752ead15a6 > > Can we remove this MTU check since your recent patch [ipv6: the entire > IPv6 header chain must fit the first fragment] fixes a similar issue? AFAICS, RFC 2473 implies we can have MTU below 1280 for tunnel devices so we can probably relax the MTU check for such devices, but I think we would still need it in the general case. Cheers, Paolo
