[Openswan dev] IPv6 fragmentation for KLIPS vs NETKEY
david_mccullough at mcafee.com
Tue Apr 26 02:13:20 EDT 2011
Jivin Paul Wouters lays it down ...
> Hey David,
> I see the following code in ipsec_xmit.c:
> notify = nexthdr != IPPROTO_ICMP &&
> nexthdr != IPPROTO_ICMPV6;
> KLIPS_PRINT(debug_tunnel & DB_TN_CROUT,
> "klips_debug:ipsec_xmit_init2: "
> "fragmentation needed ; %sdropping packet\n",
> notify ? "sending ICMP and " : "");
> if (notify)
> When testing IPv6 with ping6 -s 1400, KLIPS will drop the packet,
> and not send an ICMP6 fragmentation needed packet, causing the ping to
> Is there a (good) reason for this behaviour? If it is to avoid sending
> icmps in responds to icmps, could we check for ICMP_DEST_UNREACH,
> ICMP_FRAG_NEEDED? Or could we let ECHO response/reply through?
> Despite that, I don't think that is the real issue here. We do see
> frag needed packets, but on ipsecX, not ethX. And I don't think they
> ever make it to the right place.
> For reference, NETKEY fragments the ESP packet and the pings work fine.
Under IPv6, routers are not to fragment, and me being a router vendor took
that at face value. Not sure if netkey is doing the right thing here or
I think that code should be sending an ICMPV6_PKT_TOOBIG. Need to check
Also, this is pretty much the same as the IPv4 code above it with less
checks. Looks like it needs a review though, will put that on the list to
look at ASAP ;-)
So th elist has end-point identification and icmp fragment thingy, anything
else in there you would like me to look at ?
David McCullough, david_mccullough at mcafee.com, Ph:+61 734352815
McAfee - SnapGear http://www.mcafee.com http://www.uCdot.org
More information about the Dev