| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 25 Apr 2012 11:20:01 +0200 From: Tore Anderson <tore@....no> To: Maciej Żenczykowski <maze@...gle.com> Cc: Eric Dumazet <eric.dumazet@...il.com>, David Miller <davem@...emloft.net>, netdev <netdev@...r.kernel.org>, Tom Herbert <therbert@...gle.com> Subject: Re: [PATCH net-next] ipv6: RTAX_FEATURE_ALLFRAG causes inefficient TCP segment sizing * Maciej Żenczykowski >> But we chose to _not_ decrease mtu and adhere to the specs. > > I get that we _choose_ to behave such, and I agree this adheres to > specs. "Chose" (past), not "choose" (present). ;-) This patch does not make this choice. This patch merely fixes a bug in the implementation of the choice that was made a long time ago. > But I'm not convinced that (even though this is allowed per RFC) this > is the right choice. That is a different issue entirely, but I don't disagree with you. A "min_pmtu" sysctl or something like that would be useful. > Also note that IPv6 prefers to see fragmentation happen at the end > hosts, and not at the routers. > Although of course it doesn't treat a tunnel end point as a router. Actually, in IPv6, fragmentation *must* be performed by end hosts, routers (including tunnel end points) *cannot* fragment. However, the use case for the allfrag feature is not handling tunnels, but IPv4<->IPv6 translation. The issue is that a IPv6 host may very well receive an ICMPv6 Packet Too Big indicating a PMTU of <1280 that was originally transmitted by an IPv4 router (as an ICMPv4 Need To Fragment) and underwent translation to IPv6. In this case, the IPv6 node does not need to reduce the PMTU to <1280 (Linux does not), but it is not invalid to have a <1280 MTU link in the IPv4 internet either, so something else must be done for the communication to work. The solution is then to include the IPv6 Fragment extension header, so that the translator have a suitable Identification value to copy into the translated IPv4 header, and may therefore clear the Don't Fragment flag, so that the IPv4 router will fragment the packet as it is forwarded onto the low-MTU link. In case you're interested, I have a slide deck below that explains the use case for IPv4<->IPv6 translation. Slide 25 is about the particular corner case where the allfrag feature is necessary. URL: http://fud.no/talks/20120417-RIPE64-The_Case_for_IPv6_Only_Data_Centres.pdf Tore -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists