tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: IPv6 task list



Two IPsec tunnel related items - one a clear bug (also exists in Linux, FYI), 
the other a little more controversial.

Clear Bug:
Do source fragmentation BEFORE applying tunnel code.  Right now, what happens, 
is all packets, regardless of size, are put through the IPsec code BEFORE 
having source fragmentation applied.  So packet gets encapsulated, then split 
up, then at the other end of the tunnel, the packet is reassembled.  If the 
endpoint of the tunnel is different from the ultimate destination of the 
packet, then the packet will then be dropped (because it is too large for the 
MTU), and a packet-too-large message will be returned to the source - all to 
have the same thing happen again.

More controversial issue...
If an IPsec tunnel appears mid flight and applying tunnel code causes the 
packet to be too big for the MTU, the packet is then fragmented.  Some people 
have argued that because a new outer header is applied, it is a new packet, 
therefore source fragmentation is allowed.  The primary author of the IPsec RFC 
disagrees with this interpretation - he feels a packet-too-large message should 
be returned.  The point of source fragmentation is to get the sizing right in 
the first place so that we don't end up with a bunch of tiny fragments.  That 
is exactly what happens in this scenario.  The new header adds a handful of 
bytes over the MTU, so every full-size packet (and full-size packets will be 
common in a large transfer) will be fragmented at the tunnel - one full-size 
packet, and one tiny packet.

There are other weird behaviors with MTUs and IPsec tunnels that, for the most 
part, won't occur in real life. And fixing some of these odd borderline cases 
would involve changes to specifications.

-Bev

On Oct 26, 2013, at 8:28 AM, Loganaden Velvindron wrote:

> Hi guys,
> 
> I'm currently drafting a list of tasks that need to be done for the
> IPv6 stack in NetBSD.
> 
> I would welcome feedback from everybody.
> 
> Kind regards,
> //logan



Home | Main Index | Thread Index | Old Index