| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20140211023258.GC11150@order.stressinduktion.org>
Date: Tue, 11 Feb 2014 03:32:58 +0100
From: Hannes Frederic Sowa <hannes@...essinduktion.org>
To: Ortwin Glück <odi@....ch>
Cc: linux-kernel@...r.kernel.org, netdev@...r.kernel.org
Subject: Re: xfrm: is pmtu broken with ESP tunneling?
Hi!
On Mon, Feb 10, 2014 at 09:41:54AM +0100, Ortwin Glück wrote:
> I am using Openswan to configure an IPSec VPN (using the xfrm/netkey
> backend). Large HTTP POST requests from the client seem to get stuck,
> because the outgoing packets are 1530 bytes (before being wrapped into
> ESP packets). The problem goes away by setting sysctl
> net.ipv4.ip_no_pmtu_disc=1.
This setting will shrink the path mtu to min_pmtu when a frag needed icmp is
received. It sounds like we calculate the path mtu incorreclty in case of
fragmentation.
> May have something to do with it:
> The tunneled network is 10.6.6.6/32 and I am SNAT'ing some destinations
> to that IP, so they get routed through the tunnel. Any other networks
> are not to go through the tunnel.
>
> iptables -t nat -A POSTROUTING -d "${R}" -j SNAT --to-source 10.6.6.6
>
> It seems quite clear to me that xfrm is doing something wrong here.
Can you send a ip route get <ip> to the problematic target to see how
far off the calculated value is?
Thanks,
Hannes
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists