Herbert Xu wrote: > On Mon, Apr 02, 2007 at 04:10:25PM +0200, Patrick McHardy wrote: > >>I noticed a problem with PMTUD between two IPsec tunnel endpoints. >>When sending a packet larger than the PMTU with IP_DF from one >>tunnel endpoint to the other, xfrm4_output sends an ICMP frag. >>required with the IPsec MTU. Since the addresses match the tunnel >>endpoints, this updates the MTU for the XFRM route with the value >>that was calculated for the entire bundle, which in turn causes >>a decrease for the bundle, resulting in further ICMP frag. required >>messages until the minimum is reached. > > > I presume you're using the same pair of addresses inside and > outside the tunnel? If so the problem is that the kernel doesn't > distinguish between internal ICMP errors and external ones. > So when an MTU update occurs for the internal pair the external > pair is also affected.
Exactly. > We'd need some field in the routing cache to distinguish the > two pairs. I'm not sure I understand how this would work, the ICMP message looks the same in both cases. Or are you suggesting to differentiate based on the source of the ICMP message? > Of course the easy work-around is to use distinct addresses > within IPsec tunnels. Yes, that would work as a workaround, but it still seems like something worth fixing. - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
