lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:	Wed, 13 Mar 2013 17:14:53 +0200
From:	Timo Teras <timo.teras@....fi>
To:	netdev@...r.kernel.org
Subject: linux-3.6+, gre+ipsec+forwarding = IP fragmentation broken

In the typical DMVPN setup with IPv4-ESP-GRE-IPv4 stack, it seems that
IPv4 fragmentation got broke around 3.6 for forwarded packets.

It would seem that fragmentation works for locally generated packets.
Also PMTU (DF set) seems to work for both forwarded and locally
generated packets. But forwarded packets to gre device that gets IPsec
encrypted do not get fragmented properly.

3.4.x kernels work, 3.6 and 3.8 series tested and fail similarly.

I was going through the changelog and it seems that MTU is now handled
in nexthop exceptions and one needs to produce the full flow info to
update it. I'm wonding if this does not hold true in my code path as
ip_gre rewraps the forwarded packet and creates new IP header - when it
next goes to the xfrm code (which sends the ICMP error) the inner iphdr
is no longer accessible. Would this cause the breakage that I'm seeing?
Or the forward flow's mtu still updated somehow?

- Timo
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ