lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 2 Mar 2022 12:44:47 +0100 From: Steffen Klassert <steffen.klassert@...unet.com> To: Lina Wang <lina.wang@...iatek.com> CC: Herbert Xu <herbert@...dor.apana.org.au>, "David S . Miller" <davem@...emloft.net>, Hideaki YOSHIFUJI <yoshfuji@...ux-ipv6.org>, "David Ahern" <dsahern@...nel.org>, Jakub Kicinski <kuba@...nel.org>, "Matthias Brugger" <matthias.bgg@...il.com>, <netdev@...r.kernel.org>, <linux-kernel@...r.kernel.org>, <linux-arm-kernel@...ts.infradead.org> Subject: Re: [PATCH v3] xfrm: fix tunnel model fragmentation behavior On Sat, Feb 26, 2022 at 03:48:01PM +0800, Lina Wang wrote: > in tunnel mode, if outer interface(ipv4) is less, it is easily to let > inner IPV6 mtu be less than 1280. If so, a Packet Too Big ICMPV6 message > is received. When send again, packets are fragmentized with 1280, they > are still rejected with ICMPV6(Packet Too Big) by xfrmi_xmit2(). > > According to RFC4213 Section3.2.2: > if (IPv4 path MTU - 20) is less than 1280 > if packet is larger than 1280 bytes > Send ICMPv6 "packet too big" with MTU=1280 > Drop packet > else > Encapsulate but do not set the Don't Fragment > flag in the IPv4 header. The resulting IPv4 > packet might be fragmented by the IPv4 layer > on the encapsulator or by some router along > the IPv4 path. > endif > else > if packet is larger than (IPv4 path MTU - 20) > Send ICMPv6 "packet too big" with > MTU = (IPv4 path MTU - 20). > Drop packet. > else > Encapsulate and set the Don't Fragment flag > in the IPv4 header. > endif > endif > Packets should be fragmentized with ipv4 outer interface, so change it. > > After it is fragemtized with ipv4, there will be double fragmenation. > No.48 & No.51 are ipv6 fragment packets, No.48 is double fragmentized, > then tunneled with IPv4(No.49& No.50), which obey spec. And received peer > cannot decrypt it rightly. > > 48 2002::10 2002::11 1296(length) IPv6 fragment (off=0 more=y ident=0xa20da5bc nxt=50) > 49 0x0000 (0) 2002::10 2002::11 1304 IPv6 fragment (off=0 more=y ident=0x7448042c nxt=44) > 50 0x0000 (0) 2002::10 2002::11 200 ESP (SPI=0x00035000) > 51 2002::10 2002::11 180 Echo (ping) request > 52 0x56dc 2002::10 2002::11 248 IPv6 fragment (off=1232 more=n ident=0xa20da5bc nxt=50) > > xfrm6_noneed_fragment has fixed above issues. Finally, it acted like below: > 1 0x6206 192.168.1.138 192.168.1.1 1316 Fragmented IP protocol (proto=Encap Security Payload 50, off=0, ID=6206) [Reassembled in #2] > 2 0x6206 2002::10 2002::11 88 IPv6 fragment (off=0 more=y ident=0x1f440778 nxt=50) > 3 0x0000 2002::10 2002::11 248 ICMPv6 Echo (ping) request > > Signed-off-by: Lina Wang <lina.wang@...iatek.com> Applied, thanks Lina!
Powered by blists - more mailing lists