Subject: Re: DF bit processing in tunnelling devices
To: None <itojun@iijlab.net>
From: Jason R Thorpe <thorpej@zembu.com>
List: source-changes
Date: 07/05/2000 15:23:14
On Thu, Jul 06, 2000 at 06:59:05AM +0900, itojun@iijlab.net wrote:
> > syssrc/sys/netinet: in_gif.c
> >Log Message:
> >RFCs 1853, 2003, 2401 -- copy the DF bit.
>
> i'm not 100% sure if we should do this or not.
> RFC2401 says that the DF bit behavior should be configurable
> (copy, zero-clear, or set) in 6.1.1. appendix B has more meat.
>
> with "copy" behavior, you will see more ICMP too big message, which
> can choke in environment with icmp filtered (bad practice, but
> we see too many of this). good thing is that we can get better
> performance if everyone does path MTU discovery right.
> - your tunnel router got 1500bytes of native IPv4 packet, with
> DF bit set
> - gif_output encapsulates it, copy DF bit (now 1520bytes)
> - ip_output chokes and sends ICMP too big message
Right, Tunnel MTU Discovery is that RFC 1853 calls it. 2003 is also
pretty explicit (uses MUST) about what needs to happen with DF.
RFC 1853, page 4:
Don't Fragment copied from the inner IP header. This allows the
originator to control the level of performance
tradeoffs. See "Tunnel MTU Discovery".
...
3.1. Tunnel MTU Discovery
When the Don't Fragment bit is set by the originator and copied into
the outer IP header, the proper MTU of the tunnel will be learned
from ICMP (Type 3 Code 4) "Datagram Too Big" errors reported to the
encapsulator. To support originating hosts which use this
capability, all implementations MUST support Path MTU Discovery
[RFC-1191, RFC-1435] within their tunnels.
RFC 2003, page 4:
Identification, Flags, Fragment Offset
These three fields are set as specified in [10]. However, if
the "Don't Fragment" bit is set in the inner IP header, it MUST
be set in the outer IP header; if the "Don't Fragment" bit is
not set in the inner IP header, it MAY be set in the outer IP
header, as described in Section 5.1.
I guess the right way to view this is a sort of `forwarding', and
normal Internet routers also copy DF. It's really no different than
having a non-encapsulating router forward a DF'd packet out a small-MTU
PPP interface.
--
-- Jason R. Thorpe <thorpej@zembu.com>