On Fri, 2002-10-25 at 16:55, Julian Anastasov wrote: > > Hello, Hi julian ! > > On 25 Oct 2002, Vincent Jaussaud wrote: > > > > ssh tends to play with TOS fields (and rightly so). Routing is keyed to the > > > *triple* (src, dst, tos), something that most people (including me) normally > > > forget. However, in this particular case that may be the reason for your > > > ssh's breaking. > > > > > Hmm... that's really interesting. Thanks for the pointer. I remember now > > that I've read something regarding SSH & TOS field some days ago. If I'm > > right, it use the Minimum Delay TOS value. > > > > Now, how am I suppose to deal with this TOS issue ? What TOS value > > should do the trick ? > > In theory, you should not reach multipath route for > traffic that is already NAT-ed. May be you have to fix your > routes. The TOS field plays in the input routing performed > on forwarding and traffic between two public IP addresses can select > different nexthop if the TOS is different or if the routing > cache is somehow flushed (on route/address add/del, expiration). But traffic is NAT-ed after multipath routing occurs ! Eg, the box which do multipath routing do not NAT traffic; traffic get NAT-ed when leaving the gateways: LAN --> FW w/ multipath-routing | | Gateway1 Gateway2 | (NAT) | (NAT) | | -------------------- Remote Network Packets reach the Remote Network using one of the Gateway NAT-ed IP, so that when packets come back they should use the proper return path. Am I wrong ? > > > I'm using a 2.2 kernel with ipchains. > > > > > The reason for FTP breaking possibly has to do with packets for > > > the control connection going out the one gateway and for the data going > > > out the other... but this is speculation on my part. > > > > That sounds wise. However, routes are suppose to be cached using the src > > IP field as well (If I'm not mistaken), so that every packets coming > > from a particular IP are likely to take the same route than the others. > > Am I wrong ? > > Yes, TOS is a routing key just like SADDR and DADDR. > By using multipath route between 2 IP addresses you agree that > the packets can _safely_ choose any of the paths. When using > two or more ISPs you simply can't do this if the ISPs have > source spoofing disabled. In such cases only the traffic that > is NAT-ed from your box has the right to use the multipath route. > This is a key requirement for the patches you are using. Once > the NAT connections are established they don't hit multipath > route. > Hmmm... Then this is where the problem is. So, if I understand correctly, packets coming from a single TCP connections will use any of the multipath route _if_ they are not NAT-ed ? Isn't the routing cache suppose to ensure that every packets coming from a single connection use the same path ? Now, If I understand the whole topic, in order to fix my problem, I need to: - NAT everything on the FW itself - or disable NAT on both gateways, and ensure that routing is done properly Am I right ? I'm becomming a bit lost, here :-\ Many Thanks for your time. Vincent. > > A BIG Thanks for your reply :-) > > Cheers, > > Vincent. > > Regards > > -- > Julian Anastasov <ja@ssi.bg> > > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ -- Vincent Jaussaud Kelkoo.com Security Manager email: tatooin@kelkoo.com "The UNIX philosophy is to design small tools that do one thing, and do it well." _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
