| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20101209124429.GA27083@gondor.apana.org.au> Date: Thu, 9 Dec 2010 20:44:29 +0800 From: Herbert Xu <herbert@...dor.apana.org.au> To: Joy Latten <latten@...tin.ibm.com> Cc: netdev@...r.kernel.org, samudrala@...ibm.com, rashmin@...ibm.com, davem@...emloft.net, dlstevens@...ibm.com Subject: Re: IPsecv6 tunnel mode fragmentation On Wed, Dec 08, 2010 at 08:20:42PM -0600, Joy Latten wrote: > > We did attempt to debug in kernel to see whether the pkt-too-big > was being discarded... from what we saw, it did not seem to be. > Also, an "ip -6 r l c" on TARGET showed the adjusted mtu for the route > to HOST, which the pkt-too-big was for. tunnel's mtu is untouched. Oh I see what you're saying. Sorry I misunderstood the issue earlier. > Thus why I reached my original conclusion, that perhaps > esp/ah disregard inner hdr mtu since does not fragment. > Thus inner pkt will be too big when it reaches link for > inner/original pkt to be sent on. Indeed we don't have any fragmentation capbility at all on the IPsec output path inside the tunnel. For IPv4 this isn't an issue because the other end can perform fragmentation. This is clearly not an option with IPv6. I'll look into this. Cheers, -- Email: Herbert Xu <herbert@...dor.apana.org.au> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists