| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <1d28e37a988a4da62f6df71ec6c3b67a@ac-clermont.fr>
Date: Thu, 14 Dec 2023 09:55:42 +0100
From: Vanhaute Nicolas <nicolas.vanhaute@...clermont.fr>
To: netdev@...r.kernel.org
Subject: ss command - false mss/mtu values
Hi,
I use socket stats in python scripts to catch some information. That
works well but I'm facing issues about MSS/MTU values... they are not
correct in most cases.
I managed few VPN (ipsec peer to peer but also ssl vpn...) so I can make
tests and check if it's ok. I use also windows apps to check (mtupath
and mturoute) or just ping with some arguments on linux.
FYI : I tried to change some values in sysctl.conf but no real changes.
OS used are RHEL8 and Ubuntu22.
ss utility, iproute2-5.18.0
ss utility, iproute2-ss200127
I use iperf to get these values so it's not a small trafic.
See below some tests :
By example a test inside a VPN tunnel (IPSEC peer to peer) where I
forced mss to 1360 and mtu to 1400 gives me :
ESTAB 0 1474240
172.30.92.192:47836
172.29.68.205:5201
timer:(on,028ms,0)
sack cubic wscale:10,7 rto:212 rtt:9.447/0.052 mss:1360
pmtu:1500 rcvmss:536 advmss:1460 cwnd:74 ssthresh:58 bytes_sent:88061397
bytes_retrans:25840 bytes_acked:87943078 segs_out:64754 segs_in:18658
data_segs_out:64752 send 85224939bps lastrcv:4944 pacing_rate
102265864bps delivery_rate 80641024bps delivered:64666 busy:4936ms
rwnd_limited:12ms(0.2%) unacked:68 retrans:0/19 rcv_space:14600
rcv_ssthresh:64076 notsent:1381760 minrtt:9.234
as you can see mss (1360) is the good one, but pmtu still 1500
an other test inside a VPN SSL (with a forticlient) :
ESTAB 0 2327424
172.31.119.187:39966
172.29.68.205:5201
timer:(on,140ms,0)
sack cubic wscale:10,7 rto:260 rtt:57.42/0.558 mss:1352
pmtu:1392 rcvmss:536 advmss:1352 cwnd:370 ssthresh:370
bytes_sent:55417165 bytes_retrans:4056 bytes_acked:54918278
segs_out:41014 segs_in:21803 data_segs_out:41012 send 69695576bps
lastrcv:4990 pacing_rate 83633960bps delivery_rate 79511952bps
delivered:40644 busy:4970ms rwnd_limited:1550ms(31.2%) unacked:366
retrans:0/3 reordering:4 reord_seen:6 rcv_space:13520 rcv_ssthresh:64184
notsent:1832592 minrtt:10.577
this time mss/mtu changed and pmtu seems true, but mss should be 1364
from my test with icmp, maybe just because tcp has option so 12 B more ?
and other ipsec tunnel on an other place I have :
ESTAB 0 3903886
192.168.23.75:51706
172.25.101.2:5201
timer:(on,019ms,0)
sack cubic wscale:10,7 rto:209 rtt:8.915/0.158 mss:1326
pmtu:1500 rcvmss:536 advmss:1460 cwnd:609 ssthresh:485
bytes_sent:472799861 bytes_retrans:185640 bytes_acked:471834534
segs_out:356564 segs_in:10900 data_segs_out:356562 send 724651935bps
lastsnd:1 lastrcv:5118 lastack:1 pacing_rate 869557936bps delivery_rate
689913056bps delivered:355835 busy:5096ms rwnd_limited:9ms(0.2%)
sndbuf_limited:4ms(0.1%) unacked:588 retrans:0/140 rcv_space:29200
rcv_ssthresh:29200 notsent:3124198 minrtt:8.348
mss 1326... and mtu still 1500 (false)
Well as you can see, it's difficult to get right values :-(
If you have an idea.
Thanks for your help
Nicolas
Powered by blists - more mailing lists