Re: ip6-in-ip{4,6} ipsec tunnel issues with 1280 MTU

Re: ip6-in-ip{4,6} ipsec tunnel issues with 1280 MTU

[Paolo Abeni]

Hi,

[fixed CC list]

On Wed, 2018-04-25 at 21:43 +0530, Ashwanth Goli wrote:
> Hi Pablo,

Actually I'm Paolo, but yours is a recurring mistake ;)

> I am noticing an issue similar to the one reported by Alexis Perez 
> [Regression for ip6-in-ip4 IPsec tunnel in 4.14.16]
> 
> In my IPsec setup outer MTU is set to 1280, ip6_setup_cork sees an MTU 
> less than IPV6_MIN_MTU because of the tunnel headers. -EINVAL is being 
> returned as a result of the MTU check that got added with below patch.
> 
> https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/net/ipv6/ip6_output.c?h=v4.14.34&id=8278804e05f6bcfe3fdfea4a404020752ead15a6
> 
> Can we remove this MTU check since your recent patch [ipv6: the entire 
> IPv6 header chain must fit the first fragment] fixes a similar issue?

AFAICS, RFC 2473 implies we can have MTU below 1280 for tunnel devices
so we can probably relax the MTU check for such devices, but I think we
would still need it in the general case.

Cheers,

Paolo

Re: ip6-in-ip{4,6} ipsec tunnel issues with 1280 MTU

[Ashwanth Goli]

On 2018-04-26 17:21, Paolo Abeni wrote:
> Hi,
> 
> [fixed CC list]
> 
> On Wed, 2018-04-25 at 21:43 +0530, Ashwanth Goli wrote:
>> Hi Pablo,
> 
> Actually I'm Paolo, but yours is a recurring mistake ;)
> 
>> I am noticing an issue similar to the one reported by Alexis Perez
>> [Regression for ip6-in-ip4 IPsec tunnel in 4.14.16]
>> 
>> In my IPsec setup outer MTU is set to 1280, ip6_setup_cork sees an MTU
>> less than IPV6_MIN_MTU because of the tunnel headers. -EINVAL is being
>> returned as a result of the MTU check that got added with below patch.
>> 
>> https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/net/ipv6/ip6_output.c?h=v4.14.34&id=8278804e05f6bcfe3fdfea4a404020752ead15a6
>> 
>> Can we remove this MTU check since your recent patch [ipv6: the entire
>> IPv6 header chain must fit the first fragment] fixes a similar issue?
> 
> AFAICS, RFC 2473 implies we can have MTU below 1280 for tunnel devices
> so we can probably relax the MTU check for such devices, but I think we
> would still need it in the general case.
> 
> Cheers,
> 
> Paolo

Should I send out the following change as a patch?

diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
index 2e891d2..c4c3313 100644
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -1235,7 +1235,7 @@ static int ip6_setup_cork(struct sock *sk, struct 
inet_cork_full *cork,
          if (np->frag_size)
              mtu = np->frag_size;
      }
-    if (mtu < IPV6_MIN_MTU)
+  if (!(rt->dst.flags & DST_XFRM_TUNNEL) && mtu < IPV6_MIN_MTU)
          return -EINVAL;
      cork->base.fragsize = mtu;
      if (dst_allfrag(xfrm_dst_path(&rt->dst)))

Re: ip6-in-ip{4,6} ipsec tunnel issues with 1280 MTU

[David Ahern]

On 4/27/18 5:02 AM, Ashwanth Goli wrote:
> On 2018-04-26 17:21, Paolo Abeni wrote:
>> Hi,
>>
>> [fixed CC list]
>>
>> On Wed, 2018-04-25 at 21:43 +0530, Ashwanth Goli wrote:
>>> Hi Pablo,
>>
>> Actually I'm Paolo, but yours is a recurring mistake ;)
>>
>>> I am noticing an issue similar to the one reported by Alexis Perez
>>> [Regression for ip6-in-ip4 IPsec tunnel in 4.14.16]
>>>
>>> In my IPsec setup outer MTU is set to 1280, ip6_setup_cork sees an MTU
>>> less than IPV6_MIN_MTU because of the tunnel headers. -EINVAL is being
>>> returned as a result of the MTU check that got added with below patch.

If you know you are running ipsec over the link why are you setting the
outer MTU to 1280? RFC 2460 suggests the fragmentation of packets for
links with MTU < 1280 should be done below the IPv6 layer:

5. Packet Size Issues

   IPv6 requires that every link in the internet have an MTU of 1280
   octets or greater.  On any link that cannot convey a 1280-octet
   packet in one piece, link-specific fragmentation and reassembly must
   be provided at a layer below IPv6.

   Links that have a configurable MTU (for example, PPP links [RFC-
   1661]) must be configured to have an MTU of at least 1280 octets; it
   is recommended that they be configured with an MTU of 1500 octets or
   greater, to accommodate possible encapsulations (i.e., tunneling)
   without incurring IPv6-layer fragmentation.

Re: ip6-in-ip{4,6} ipsec tunnel issues with 1280 MTU

[Ashwanth Goli]

On 2018-04-27 20:18, David Ahern wrote:
> On 4/27/18 5:02 AM, Ashwanth Goli wrote:
>> On 2018-04-26 17:21, Paolo Abeni wrote:
>>> Hi,
>>> 
>>> [fixed CC list]
>>> 
>>> On Wed, 2018-04-25 at 21:43 +0530, Ashwanth Goli wrote:
>>>> Hi Pablo,
>>> 
>>> Actually I'm Paolo, but yours is a recurring mistake ;)
>>> 
>>>> I am noticing an issue similar to the one reported by Alexis Perez
>>>> [Regression for ip6-in-ip4 IPsec tunnel in 4.14.16]
>>>> 
>>>> In my IPsec setup outer MTU is set to 1280, ip6_setup_cork sees an 
>>>> MTU
>>>> less than IPV6_MIN_MTU because of the tunnel headers. -EINVAL is 
>>>> being
>>>> returned as a result of the MTU check that got added with below 
>>>> patch.
> 
> If you know you are running ipsec over the link why are you setting the
> outer MTU to 1280? RFC 2460 suggests the fragmentation of packets for
> links with MTU < 1280 should be done below the IPv6 layer:
> 
> 5. Packet Size Issues
> 
>    IPv6 requires that every link in the internet have an MTU of 1280
>    octets or greater.  On any link that cannot convey a 1280-octet
>    packet in one piece, link-specific fragmentation and reassembly must
>    be provided at a layer below IPv6.
> 
>    Links that have a configurable MTU (for example, PPP links [RFC-
>    1661]) must be configured to have an MTU of at least 1280 octets; it
>    is recommended that they be configured with an MTU of 1500 octets or
>    greater, to accommodate possible encapsulations (i.e., tunneling)
>    without incurring IPv6-layer fragmentation.

But is this not breaking point (b) from section 7.1 of RFC2473 since the 
inner packet can be smaller than 1280.

https://tools.ietf.org/html/rfc2473#section-7.1

Re: ip6-in-ip{4,6} ipsec tunnel issues with 1280 MTU

[David Ahern]

On 4/27/18 9:44 AM, Ashwanth Goli wrote:
> On 2018-04-27 20:18, David Ahern wrote:
>> On 4/27/18 5:02 AM, Ashwanth Goli wrote:
>>> On 2018-04-26 17:21, Paolo Abeni wrote:
>>>> Hi,
>>>>
>>>> [fixed CC list]
>>>>
>>>> On Wed, 2018-04-25 at 21:43 +0530, Ashwanth Goli wrote:
>>>>> Hi Pablo,
>>>>
>>>> Actually I'm Paolo, but yours is a recurring mistake ;)
>>>>
>>>>> I am noticing an issue similar to the one reported by Alexis Perez
>>>>> [Regression for ip6-in-ip4 IPsec tunnel in 4.14.16]
>>>>>
>>>>> In my IPsec setup outer MTU is set to 1280, ip6_setup_cork sees an MTU
>>>>> less than IPV6_MIN_MTU because of the tunnel headers. -EINVAL is being
>>>>> returned as a result of the MTU check that got added with below patch.
>>
>> If you know you are running ipsec over the link why are you setting the
>> outer MTU to 1280? RFC 2460 suggests the fragmentation of packets for
>> links with MTU < 1280 should be done below the IPv6 layer:
>>
>> 5. Packet Size Issues
>>
>>    IPv6 requires that every link in the internet have an MTU of 1280
>>    octets or greater.  On any link that cannot convey a 1280-octet
>>    packet in one piece, link-specific fragmentation and reassembly must
>>    be provided at a layer below IPv6.
>>
>>    Links that have a configurable MTU (for example, PPP links [RFC-
>>    1661]) must be configured to have an MTU of at least 1280 octets; it
>>    is recommended that they be configured with an MTU of 1500 octets or
>>    greater, to accommodate possible encapsulations (i.e., tunneling)
>>    without incurring IPv6-layer fragmentation.
> 
> But is this not breaking point (b) from section 7.1 of RFC2473 since the
> inner packet can be smaller than 1280.
> 
> https://tools.ietf.org/html/rfc2473#section-7.1

I don't think so.

Given how Linux works with ipsec (or my understanding of it), your
proposed change seems ok to me.