tech-net archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: IPv6 task list
Two IPsec tunnel related items - one a clear bug (also exists in Linux, FYI),
the other a little more controversial.
Clear Bug:
Do source fragmentation BEFORE applying tunnel code. Right now, what happens,
is all packets, regardless of size, are put through the IPsec code BEFORE
having source fragmentation applied. So packet gets encapsulated, then split
up, then at the other end of the tunnel, the packet is reassembled. If the
endpoint of the tunnel is different from the ultimate destination of the
packet, then the packet will then be dropped (because it is too large for the
MTU), and a packet-too-large message will be returned to the source - all to
have the same thing happen again.
More controversial issue...
If an IPsec tunnel appears mid flight and applying tunnel code causes the
packet to be too big for the MTU, the packet is then fragmented. Some people
have argued that because a new outer header is applied, it is a new packet,
therefore source fragmentation is allowed. The primary author of the IPsec RFC
disagrees with this interpretation - he feels a packet-too-large message should
be returned. The point of source fragmentation is to get the sizing right in
the first place so that we don't end up with a bunch of tiny fragments. That
is exactly what happens in this scenario. The new header adds a handful of
bytes over the MTU, so every full-size packet (and full-size packets will be
common in a large transfer) will be fragmented at the tunnel - one full-size
packet, and one tiny packet.
There are other weird behaviors with MTUs and IPsec tunnels that, for the most
part, won't occur in real life. And fixing some of these odd borderline cases
would involve changes to specifications.
-Bev
On Oct 26, 2013, at 8:28 AM, Loganaden Velvindron wrote:
> Hi guys,
>
> I'm currently drafting a list of tasks that need to be done for the
> IPv6 stack in NetBSD.
>
> I would welcome feedback from everybody.
>
> Kind regards,
> //logan
Home |
Main Index |
Thread Index |
Old Index