I have ran into a bug with tunnel soft state not being handled properly
across gre / xfrm tunnels.
My setup follows:
A <---> H
U <---> D <---> C
B <---> B
1) 'A' sends data for 'C' to 'B' (because of a special route setup)
Current packet: ICMP ping request A->C
2) 'B' performs GRE encapsulation
Current packet: GRE B->C
3) 'B' performs an ipsec wrapping
Current packet: ESP B->C
4) 'B' performs another ipsec tunneling
Current packet: ESP B->D
5) 'D' receives and decrypts the packet
Current packet: ESP B->C
6) 'D' performs an ipsec tunneling and sends
Current packet: ESP D->C
7) 'C' Receives the packet and de-tunnels as follows
Packet: ESP D->C
ESP B->C
GRE B->C
ICMP A->C
'C' then responds in a similar manner and everyone is happy. The problem
occurs when the packet size grows. Ex: try this setup and do `ping -s 1400
C` on host 'A' It obviously won't work and shouldn't but the problem is
that host 'B' will perform the GRE encapsulation then send an ICMP
fragmentation needed message to itself:
B -> B ICMP Fragmentation needed
As opposed to sending a 'Fragmentation Needed' message to 'A' which it
should do.
This results in host 'A's packets being black holed.
Information:
Kernel: 2.6.11.2
IPsec-Tools: 0.5rc2
No firewalls
Standard Ethernet connections
Is anyone working on a fix? If anyone needs more information be sure to
'CC' me as I am not getting linux-net list right now.
Thomas DuBuisson
-
: send the line "unsubscribe linux-net" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
