[Openswan dev] IPv6 fragmentation for KLIPS vs NETKEY

David McCullough david_mccullough at mcafee.com
Tue Apr 26 20:56:29 EDT 2011


Jivin Paul Wouters lays it down ...
> On Mon, 25 Apr 2011, Paul Wouters wrote:
> 
> > Subject: [Openswan dev] IPv6 fragmentation for KLIPS vs NETKEY
> 
> I fixed the fragmentation code, it will be in openswan 2.6.34.
> 
> One thing I wanted to bring up to be sure we're not making a mistake is
> the following.
> 
> We originally did our tests with ping6 packet sizes, but the code was
> explicitly not sending any ICMP6 messages if the packet that was too
> big was itself an ICMP6 message. I removed this check, as I don't think
> this is needed. The only "storm" this could produce is if we would receive
> an ICMPV6_PKT_TOOBIG message that in itself is too big. I don't think that
> can realisticly happen, as that packet only contains a few bytes of headers
> and the max mtu that can go through the link as data.
> 
> With the current code, you can test fragmentation using ping6 -s 1400 destip

Sounds ok to me,

Cheers,
Davidm

-- 
David McCullough,      david_mccullough at mcafee.com,  Ph:+61 734352815
McAfee - SnapGear      http://www.mcafee.com         http://www.uCdot.org


More information about the Dev mailing list