Hi,
IPsec path MTU discovery with IPv4 transport mode is broken in IP
output. The MTU at the route is used for the unencrypted packet
without ESP header. After that, the length of the encrypted packet
with ESP header is compared with the same route. Of course it is
too big.
This seems to be am more general problem. As we use the route for
PMTU or fragmentation of the inner packet, we should not match the
outer packet after encryption with a route MTU.
ok?
bluhm
Index: netinet/ip_output.c
===================================================================
RCS file: /data/mirror/openbsd/cvs/src/sys/netinet/ip_output.c,v
retrieving revision 1.375
diff -u -p -r1.375 ip_output.c
--- netinet/ip_output.c 24 Nov 2021 18:48:33 -0000 1.375
+++ netinet/ip_output.c 25 Nov 2021 22:10:47 -0000
@@ -230,7 +230,16 @@ reroute:
error = EHOSTUNREACH;
goto bad;
}
- if ((mtu = ro->ro_rt->rt_mtu) == 0)
+ mtu = 0;
+ /*
+ * The route MTU is used for the unencrypted packet.
+ * Fragmentation or sending ICMP should be done there.
+ * In transport mode the inner MTU must not be used
+ * for the encrypted packet.
+ */
+ if ((m->m_pkthdr.ph_tagsset & PACKET_TAG_IPSEC_OUT_DONE) == 0)
+ mtu = ro->ro_rt->rt_mtu;
+ if (mtu == 0)
mtu = ifp->if_mtu;
if (ro->ro_rt->rt_flags & RTF_GATEWAY)
