[Openswan dev] IPv6 fragmentation for KLIPS vs NETKEY
Paul Wouters
paul at xelerance.com
Mon Apr 25 14:48:38 EDT 2011
Hey David,
I see the following code in ipsec_xmit.c:
notify = nexthdr != IPPROTO_ICMP &&
nexthdr != IPPROTO_ICMPV6;
KLIPS_PRINT(debug_tunnel & DB_TN_CROUT,
"klips_debug:ipsec_xmit_init2: "
"fragmentation needed ; %sdropping packet\n",
notify ? "sending ICMP and " : "");
if (notify)
ICMP6_SEND(ixs->skb,
ICMP_DEST_UNREACH,
ICMP_FRAG_NEEDED,
ixs->cur_mtu,
ixs->physdev);
When testing IPv6 with ping6 -s 1400, KLIPS will drop the packet,
and not send an ICMP6 fragmentation needed packet, causing the ping to
fail.
Is there a (good) reason for this behaviour? If it is to avoid sending
icmps in responds to icmps, could we check for ICMP_DEST_UNREACH,
ICMP_FRAG_NEEDED? Or could we let ECHO response/reply through?
Despite that, I don't think that is the real issue here. We do see
frag needed packets, but on ipsecX, not ethX. And I don't think they
ever make it to the right place.
For reference, NETKEY fragments the ESP packet and the pings work fine.
More information about the Dev
mailing list