Re: [Shorewall-users] testing IPv6, error: "ICMP6, packet too big, mtu 1280". SW config/setting needed?

Mon, 08 Jun 2020 08:35:12 -0700 

PGNet Dev <pgnet....@gmail.com> wrote:

> checking link mtus on my
> 
> local,
> 
>       ifconfig | grep mtu
>               enp2s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
>               enp3s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
>               lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
>               wg0: flags=209<UP,POINTOPOINT,RUNNING,NOARP>  mtu 1420
> 
> & remote boxes
> 
>       ifconfig | grep mtu
>               dummy0: flags=195<UP,BROADCAST,RUNNING,NOARP>  mtu 1500
>               eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
>               lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
>               wg0: flags=209<UP,POINTOPOINT,RUNNING,NOARP>  mtu 1420
> 
> 1280 is _not_ a set mtu
> 
> reading
> 
>       Close Encounters of the ICMP Type 2 Kind(Near Misses with ICMPv6 Packet 
> Too Big (PTB))
>        https://tools.ietf.org/html/rfc7690
> 
>       Path MTU Discovery
>        https://en.wikipedia.org/wiki/Path_MTU_Discovery#cite_note-4
> 
> it _appears_, iiuc, to be a fallback value.
> 
> I'm not clear if this "Too Big" packet issue's real, or a red-herring ... and 
> it's simply doing what it's supposed to be doing, falling back to a lower 
> value, &/or if there's *another* ICMP issue I'm missing
> 
> Is this^ an indication that I've misconfigured SW's IPv6 icmp rules?
> 
> What icmp* type allows for correct MTU discovery? Does it need to be 
> _explicitly_ set in SW?
> 
> I'm reticent to start blindly mss-clamping ...

I am really not an expert in IPv6 :-(

IPv6 works differently to IPv4 in several areas - and this is one of them. 
Where IPv4 either fragments packets or just drops them and leaves the ends to 
figure it out, in IPv6 a router needing to send a packet over a link that can't 
handle it will drop it AND send back an ICMP6 PTB (Packet Too Big) message to 
the source - thus explicitly telling the source to use smaller packets for that 
flow. If the PTB packets are filtered, then the mechanism fails.

This can occur at any hop, and in the test cases you've found, they will be 
artificially simulating this as a test. 1280 won't be configured on any of your 
systems, IIRC it's the minimum packet size supported in IPv6.

IIRC, by default Shorewall6 will configure the rules needed to allow mandatory 
ICMP6 packets through. Have you perhaps added some of your own that could be 
dropping them ?

Simon



_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to