| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 13 Jul 2020 16:59:11 +0200
From: Florian Westphal <fw@...len.de>
To: David Ahern <dsahern@...il.com>
Cc: Florian Westphal <fw@...len.de>,
Stefano Brivio <sbrivio@...hat.com>, netdev@...r.kernel.org,
aconole@...hat.com
Subject: Re: [PATCH net-next 1/3] udp_tunnel: allow to turn off path mtu
discovery on encap sockets
David Ahern <dsahern@...il.com> wrote:
> On 7/13/20 8:02 AM, Florian Westphal wrote:
> > David Ahern <dsahern@...il.com> wrote:
> >> On 7/13/20 2:04 AM, Florian Westphal wrote:
> >>>> As PMTU discovery happens, we have a route exception on the lower
> >>>> layer for the given path, and we know that VXLAN will use that path,
> >>>> so we also know there's no point in having a higher MTU on the VXLAN
> >>>> device, it's really the maximum packet size we can use.
> >>> No, in the setup that prompted this series the route exception is wrong.
> >>
> >> Why is the exception wrong and why can't the exception code be fixed to
> >> include tunnel headers?
> >
> > I don't know. This occurs in a 3rd party (read: "cloud") environment.
> > After some days, tcp connections on the overlay network hang.
> >
> > Flushing the route exception in the namespace of the vxlan interface makes
> > the traffic flow again, i.e. if the vxlan tunnel would just use the
> > physical devices MTU things would be fine.
> >
> > I don't know what you mean by 'fix exception code to include tunnel
> > headers'. Can you elaborate?
>
> lwtunnel has lwtunnel_headroom which allows ipv4_mtu to accommodate the
> space needed for the encap header. Can something similar be adapted for
> the device based tunnels?
I don't see how it would help for this particular problem.
> > AFAICS everyhing functions as designed, except:
> > 1. The route exception should not exist in first place in this case
> > 2. The route exception never times out (gets refreshed every time
> > tunnel tries to send a mtu-sized packet).
> > 3. The original sender never learns about the pmtu event
>
> meaning the VM / container? ie., this is a VPC using VxLAN in the host
> to send packets to another hypervisor. If that is the case why isn't the
> underlay MTU bumped to handle the encap header, or the VMs MTU lowered
> to handle the encap header? seems like a config problem.
Its configured properly:
ovs bridge mtu: 1450
vxlan device mtu: 1450
physical link: 1500
so, packets coming in on the bridge (local tx or from remote bridge port)
can have the enap header (50 bytes) prepended without exceeding the
physical link mtu.
When the vxlan driver calls the ip output path, this line:
mtu = ip_skb_dst_mtu(sk, skb);
in __ip_finish_output() will fetch the MTU based of the encap socket,
which will now be 1450 due to that route exception.
So this will behave as if someone had lowered the physical link mtu to 1450:
IP stack drops the packet and sends an icmp error (fragmentation needed,
MTU 1450). The MTU of the VXLAN port is already at 1450.
I could make a patch that lowers the vxlan port MTU to 1450 - 50 (encap
overhead) automatically, but I don't think making such change
automatically is a good idea.
With this proposed patch, the MTU retrieved would always be the link
MTU.
I don't think this patch is enough to resolve PMTU in general of course,
after all the VXLAN peer might be unable to receive packets larger than
what the ICMP error announces. But I do not know how to resolve this
in the general case as everyone has a differnt opinion on how (and where)
this needs to be handled.
Powered by blists - more mailing lists