Re: ICMP need to frag

From: dave baukus (dbaukus_at_chiaro.com)
Date: 05/23/05

Next message: Brooks Davis: "Re: vfs.nfs.diskless_valid"

Previous message: FreeBSD bugmaster: "Current problem reports assigned to you"
In reply to: Jeremie Le Hen: "Re: ICMP need to frag"
Next in thread: Jeremie Le Hen: "Re: ICMP need to frag"
Reply: Jeremie Le Hen: "Re: ICMP need to frag"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Date: Mon, 23 May 2005 09:07:55 -0500
To: Jeremie Le Hen <jeremie@le-hen.org>

>
>
> I forgot to tell that I don't have any firewall rule on the ssh server,
> and net.inet.tcp.path_mtu_discovery is set to 1.
>
> A few more questions :
> - Why does ssh set the Dont-Fragment bit ? This is maybe usual
> in today TCP/IP communications, as Path MTU Discovery slowly
> replaced fragmentation.

TCP always sets don't frag:
         /*
          * If we do path MTU discovery, then we set DF on every packet.
          * This might not be the best thing to do according to RFC3390
          * Section 2. However the tcp hostcache migitates the problem
          * so it affects only the first tcp connection with a host.
          */
         if (path_mtu_discovery)
                 ip->ip_off |= IP_DF;

You can turn it off via this sysctl:

int path_mtu_discovery = 1;
SYSCTL_INT(_net_inet_tcp, OID_AUTO, path_mtu_discovery, CTLFLAG_RW,
&path_mtu_discovery, 1, "Enable Path MTU Discovery");
>
> - Why does Path MTU Discovery doesn't work here ? I'm pretty
> sure that the ICMP Need-To-Frag packets are not filtered since
> I am able to see them outgoing from the Ethernet network card
> on the RELENG_4 router.
>

Does SSH use IPSEC AH ?
Just guessing here, but maybe the problems is (from icmp_input()):

                 /*
                  * XXX if the packet contains [IPv4 AH TCP], we can't make a
                  * notification to TCP layer.
                  */
                 ctlfunc = inetsw[ip_protox[icp->icmp_ip.ip_p]].pr_ctlinput;
                 if (ctlfunc)
                         (*ctlfunc)(code, (struct sockaddr *)&icmpsrc,
                                    (void *)&icp->icmp_ip);

-- 
Dave Baukus
dbaukus@chiaro.com			
	Chiaro Networks Ltd.
	Richardson, Texas
	USA
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"

Next message: Brooks Davis: "Re: vfs.nfs.diskless_valid"

Previous message: FreeBSD bugmaster: "Current problem reports assigned to you"
In reply to: Jeremie Le Hen: "Re: ICMP need to frag"
Next in thread: Jeremie Le Hen: "Re: ICMP need to frag"
Reply: Jeremie Le Hen: "Re: ICMP need to frag"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]