lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 03 Apr 2007 18:32:07 +0200 From: Patrick McHardy <kaber@...sh.net> To: Herbert Xu <herbert@...dor.apana.org.au> CC: Linux Netdev List <netdev@...r.kernel.org> Subject: Re: IPsec PMTUD problem Herbert Xu wrote: > On Mon, Apr 02, 2007 at 04:10:25PM +0200, Patrick McHardy wrote: > >>I noticed a problem with PMTUD between two IPsec tunnel endpoints. >>When sending a packet larger than the PMTU with IP_DF from one >>tunnel endpoint to the other, xfrm4_output sends an ICMP frag. >>required with the IPsec MTU. Since the addresses match the tunnel >>endpoints, this updates the MTU for the XFRM route with the value >>that was calculated for the entire bundle, which in turn causes >>a decrease for the bundle, resulting in further ICMP frag. required >>messages until the minimum is reached. > > > I presume you're using the same pair of addresses inside and > outside the tunnel? If so the problem is that the kernel doesn't > distinguish between internal ICMP errors and external ones. > So when an MTU update occurs for the internal pair the external > pair is also affected. Exactly. > We'd need some field in the routing cache to distinguish the > two pairs. I'm not sure I understand how this would work, the ICMP message looks the same in both cases. Or are you suggesting to differentiate based on the source of the ICMP message? > Of course the easy work-around is to use distinct addresses > within IPsec tunnels. Yes, that would work as a workaround, but it still seems like something worth fixing. - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists