[Top] [All Lists]

Re: IPsec and Path MTU

To: "David S. Miller" <davem@xxxxxxxxxx>
Subject: Re: IPsec and Path MTU
From: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
Date: Fri, 18 Jun 2004 09:09:18 +1000
Cc: kuznet@xxxxxxxxxxxxx, jmorris@xxxxxxxxxx, netdev@xxxxxxxxxxx
In-reply-to: <>
References: <> <> <> <> <>
Sender: netdev-bounce@xxxxxxxxxxx
User-agent: Mutt/
On Thu, Jun 17, 2004 at 03:22:16PM -0700, David S. Miller wrote:
> Right.  I'm sorry, is someone trying to do NFS/UDP over IPSEC?
> My condolences.  :-)

Nope, it breaks TCP as well.  Whether you're TCP/UDP or whatever,
you have to pass xfrm4_tunnel_check_size().  That function uses
an incorrect derivation of the MTU, thus potentially blocking
maximal packets from getting through.

As I said before, this only strikes for certain device MTUs.
So if you're having problems reproducing this, try setting your
device MTU to 1480 (or 1480 + 8x for any integer x).

> More seriously, it is a fringe case.  We do need to handle it,
> but it is no accident that there haven't been very
> many folks complaining about it.

I agree it's not a common problem.  But the reason is not what
you think it is :) It's because the common MTUs 1500, 1492 etc.
are not of the form 1480 + 8x.

Visit Openswan at
Email:  Herbert Xu ~{PmV>HI~} <herbert@xxxxxxxxxxxxxxxxxxx>
Home Page:
PGP Key:

<Prev in Thread] Current Thread [Next in Thread>