[Openswan dev] IPv6 fragmentation for KLIPS vs NETKEY

David McCullough david_mccullough at mcafee.com
Tue Apr 26 02:13:20 EDT 2011

Jivin Paul Wouters lays it down ...
> Hey David,
> I see the following code in ipsec_xmit.c:
>                  notify = nexthdr != IPPROTO_ICMP &&
>                                  nexthdr != IPPROTO_ICMPV6;
>                  KLIPS_PRINT(debug_tunnel & DB_TN_CROUT,
>                              "klips_debug:ipsec_xmit_init2: "
>                              "fragmentation needed ; %sdropping packet\n",
>                              notify ? "sending ICMP and " : "");
>                  if (notify)
>                          ICMP6_SEND(ixs->skb,
>                                    ICMP_DEST_UNREACH,
>                                    ICMP_FRAG_NEEDED,
>                                    ixs->cur_mtu,
>                                    ixs->physdev);
> When testing IPv6 with ping6 -s 1400, KLIPS will drop the packet,
> and not send an ICMP6 fragmentation needed packet, causing the ping to
> fail.
> Is there a (good) reason for this behaviour? If it is to avoid sending
> icmps in responds to icmps, could we check for ICMP_DEST_UNREACH,
> ICMP_FRAG_NEEDED? Or could we let ECHO response/reply through?
> Despite that, I don't think that is the real issue here. We do see
> frag needed packets, but on ipsecX, not ethX. And I don't think they
> ever make it to the right place.
> For reference, NETKEY fragments the ESP packet and the pings work fine.

Under IPv6,  routers are not to fragment,  and me being a router vendor took
that at face value.  Not sure if netkey is doing the right thing here or

I think that code should be sending an ICMPV6_PKT_TOOBIG.  Need to check

Also,  this is pretty much the same as the IPv4 code above it with less
checks.  Looks like it needs a review though,  will put that on the list to
look at ASAP ;-)

So th elist has end-point identification and icmp fragment thingy, anything
else in there you would like me to look at ?


David McCullough,      david_mccullough at mcafee.com,  Ph:+61 734352815
McAfee - SnapGear      http://www.mcafee.com         http://www.uCdot.org

More information about the Dev mailing list