lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Fri, 27 Apr 2018 08:48:09 -0600
From:   David Ahern <dsahern@...il.com>
To:     Ashwanth Goli <ashwanth@...eaurora.org>,
        Paolo Abeni <pabeni@...hat.com>
Cc:     netdev@...r.kernel.org, maloney@...gle.com, edumazet@...gle.com,
        netdev-owner@...r.kernel.org
Subject: Re: ip6-in-ip{4,6} ipsec tunnel issues with 1280 MTU

On 4/27/18 5:02 AM, Ashwanth Goli wrote:
> On 2018-04-26 17:21, Paolo Abeni wrote:
>> Hi,
>>
>> [fixed CC list]
>>
>> On Wed, 2018-04-25 at 21:43 +0530, Ashwanth Goli wrote:
>>> Hi Pablo,
>>
>> Actually I'm Paolo, but yours is a recurring mistake ;)
>>
>>> I am noticing an issue similar to the one reported by Alexis Perez
>>> [Regression for ip6-in-ip4 IPsec tunnel in 4.14.16]
>>>
>>> In my IPsec setup outer MTU is set to 1280, ip6_setup_cork sees an MTU
>>> less than IPV6_MIN_MTU because of the tunnel headers. -EINVAL is being
>>> returned as a result of the MTU check that got added with below patch.

If you know you are running ipsec over the link why are you setting the
outer MTU to 1280? RFC 2460 suggests the fragmentation of packets for
links with MTU < 1280 should be done below the IPv6 layer:

5. Packet Size Issues

   IPv6 requires that every link in the internet have an MTU of 1280
   octets or greater.  On any link that cannot convey a 1280-octet
   packet in one piece, link-specific fragmentation and reassembly must
   be provided at a layer below IPv6.

   Links that have a configurable MTU (for example, PPP links [RFC-
   1661]) must be configured to have an MTU of at least 1280 octets; it
   is recommended that they be configured with an MTU of 1500 octets or
   greater, to accommodate possible encapsulations (i.e., tunneling)
   without incurring IPv6-layer fragmentation.


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ