lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:	Wed, 13 Jun 2007 15:09:10 +0200
From:	"Marco Berizzi" <pupilla@...mail.com>
To:	"Patrick McHardy" <kaber@...sh.net>
Cc:	<netdev@...r.kernel.org>
Subject: Re: pmtu discovery on sa esp

Patrick McHardy wrote:

> Marco Berizzi wrote:
> > Patrick McHardy wrote:
> >
> >>We have some MTU opimiztations in 2.6.22-rc that might be related.
> >>Please check with tcpdump what exactly is happening and whether
> >>the 2.6.22-rc box is sending too large packets.
> >
> >
> > I have done a tcpdump capture on the external
> > interface but I don't see anything strange.
>
>
> Try dumping on loopback as well.

indeed: here is:

14:55:58.848705 IP (tos 0xc0, ttl  64, id 1440, offset 0, flags [none],
proto: ICMP (1), length: 576) linux2.6.22 > linux2.6.22: ICMP
linux2.6.21 unreachable - need to frag (mtu 1500), length 556
 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], proto: ESP (50),
length: 1512) linux2.6.22 > linux2.6.21:
ESP(spi=0x91878312,seq=0x1553f), length 1492[|icmp]

> > (I can send to you the capture if you want/need)
> > I have noticed that the mtu on the aes tunnels
> > now is equal to 1450 byte (with 2.6.21 it was
> > 1428). Let me explain:
> >
> > linux 2.6.22-rc4 ->>-AES tunnel ->>- linux 2.6.21 mtu=1450
> > linux 2.6.21 ->>-AES tunnel ->>- linux 2.6.22-rc4 mtu=1428
> >
> > Now as a collateral effects all the windoze boxes
> > aren't able to exchange large packets: I must
> > upgrade all ipsec gateway to 2.6.22-rc4 (or
> > downgrade this box to 2.6.21 again). Hints?
>
>
> The question is whether 1450 is correct. Could you send me the
> output of "ip x s" (obfuscate keys if you want) and "ip x p"?

I have sent to you (not to the list) the info you
asked me.

> What is the MTU of the underlying device?

1500 byte

> Do the encapsulated
> packets still fit?

No, the will not fit (1512 > 1500)

> BTW, are you just using pluto or the entire openswan patch?

only pluto (no klips).


-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists