lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20150521.172524.1057695410816294973.davem@davemloft.net>
Date:	Thu, 21 May 2015 17:25:24 -0400 (EDT)
From:	David Miller <davem@...emloft.net>
To:	steffen.klassert@...unet.com
Cc:	alexander.h.duyck@...hat.com, alexander.duyck@...il.com,
	netdev@...r.kernel.org
Subject: Re: Looking for a lost patch

From: Steffen Klassert <steffen.klassert@...unet.com>
Date: Wed, 20 May 2015 08:32:23 +0200

> On Tue, May 19, 2015 at 11:32:15AM -0700, Alexander Duyck wrote:
>> On 05/19/2015 12:57 AM, Steffen Klassert wrote:
>> >The MTU should be 1500. All the IPsec overhead is handled by PMTU
>> >discovery, just like in the case we use IPsec without vti tunnels.
>> >The IPv6 side of vti does it like that.
>> 
>> The problem is the PMTU isn't communicated to things that make use
>> of the tunnel.  For example if I do a "ping -s 2000 x.x.x.x" across
>> an IPv6 VTI interface it will fail currently as it assumes the MTU
>> is 1500 and so it is fragmenting the ping packet at sizes that won't
>> be communicated across the underlying interface.
> 
> Well, the problem is that the local socket is still attached on the
> skb. The socket gets an error notification if the packet is too big,
> but ping does not care much about these error notifications.
> 
> One option to get such applications to work is to orphan the skb
> in the vti xmit function. Then the packet is not assumed to be
> local, so PMTU discovery is triggered on that route.
> 
> Something like this should work for IPv6:

When a packet traverses software layered devices, we should not orphan
the socket.

In fact, we have taken great pains to make sure this works so that the
socket memory accounting is done correctly on the original top-level
socket.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ