What follows is an update on this issue. The Problem:
Symantec Endpoint Protection 11.0.4 (Network Threat Protection) periodically corrupts outbound UDP packets that are subject to fragmentation. In addition, any version of SEP 11.0.x including 11.0.5 results in performance degradation when UDP packets are fragmented. Why does data corruption not affect OpenAFS/Win 1.5.33 and earlier? All versions of OpenAFS for Windows 1.3.50 to 1.5.33 included by default a cap on the MTU size used for sending and receiving packets within the Rx library. This cap was configured using the TransarcAFSDaemon\Parameters "RxMaxMTU" value. A value of 1260 was used to permit OpenAFS communications to work in conjunction with Cisco IPSec VPN 4.x clients. Why does data corruption affect OpenAFS/Win 1.5.34 through 1.5.68? Cisco VPN Client 5.0 fixed the problems with OpenAFS. By the time 1.5.34 was released, 5.0 had been out for a significant period of time and was widely distributed within the OpenAFS community. It was determined that the >10% performance hit caused by not sending full UDP packets was no longer required by the default installation. If the Windows network interface MTU is set to 1300, why does OpenAFS continue to use 1444? OpenAFS for Windows uses the IP Helper Library GetAdapterAddresses() function to obtain the configuration data for all of the installed network interfaces. This API fails to report the static MTU limit restriction if one is configured in the registry. As a result, OpenAFS for Windows is unaware that the network interface will fragment UDP packets larger than the assigned value. How is this problem being addressed in 1.5.69? Asanka Herath (Secure Endpoints) contributed a patch to search for a registry assigned MTU value for each network interface which permits OpenAFS for Windows to report the correct MTU values to the Rx library and in response to the "cmdebug <host> -addrs" query. http://gerrit.openafs.org/#change,1105 In addition, a patch to the Rx library ensures that the interface MTU values are used to limit packet size on sends as well as on receives. http://gerrit.openafs.org/#change,1107 When these two patches are applied, packet fragmentation will not occur. As a result the performance degradation and data corruption caused by Symantec Endpoint Protection will be avoided. Acknowledgments Thanks to Richard Brittain and his management at Dartmouth for the significant quantity of his time that was dedicated over the last two months to help narrow down the root cause of this problem. Without their efforts, the gatekeepers could not have resolved this issue on behalf of the community. Jeffrey Altman
smime.p7s
Description: S/MIME Cryptographic Signature
