From: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
Date: Mon, 13 Jun 2005 17:33:53 +1000
> One of the problems that's been plaguing our IPsec stack is ICMP
> blackholes. ICMP blackholes are particularly bad for tunnels because
> the most common remediy -- MSS clamping has no effect when applied
> outside the tunnel. It is often impractical to apply it inside
> the tunnel since the point where the clamping is applied may be some
> way away from either IPsec endpoint.
>
> The best solution so far has been to disable PMTU discovery when a
> blackhole is detected. We already support that for IPIP/GRE tunnels.
> The following patchset adds support for a similar strategy to IPsec
> tunnels.
>
> It is by no means ideal but it's something that you need to survive
> on today's Internet.
All 3 patches applied, thanks Herbert.
One thing needs clarification in your description. When I first
read "blackhole is detected" I was under the wrong impression as
to _who_ does the detection. Your patches allow the administrator
to do this, whereas I thought you were going to add some code which
dynamically figured out the presence of ICMP black holes and would
thus set the bit.
|