[Openswan Users] Re: UDP fragmentation in Linux
mcr at xelerance.com
mcr at xelerance.com
Fri Mar 4 14:49:58 CET 2005
-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "Marcus" == Marcus Leech <mleech at nortel.com> writes:
Marcus> After my fiasco of last night (trying to use 2048-bit certs
Marcus> and having them utterly fail to make across the network),
Marcus> I've started looking into Linux UDP fragmentation grossness.
Right.
That's why in-line certificates suck :-)
Please visit PKI4IPSEC WG.
Marcus> But with UDP packets (NOT JUST PLUTO--I wrote some test
Marcus> code), the stack simply emits a single packet with the "more
Marcus> fragments" flag bit set in the IP header, the UDP length
Marcus> field set to the UDP length, and the IP length set to the
Marcus> MTU. But the trailing fragment(s) never get emitted--just
Right. Exactly. With DF set, you have to fragment.
The local stack enforces this. With 2.6 there is an option to turn off
DF on a per-socket basis. I wrote some for pluto, but I didn't get a
chance to test that.
You can also just turn DF off for all UDP.
Marcus> Another observation. When I was testing this stuff
Marcus> purely-locally (on the same IP subnet), I could use long
Marcus> certificates, and nothing bad happened. I can only assume
Marcus> that the Linux stack detects the "local subnettedness" and
Marcus> uses jumbograms--I don't have the patience/energy to go back
Marcus> and set it up again to run a tcpdump.
Maybe... doubtful to me.
Marcus> I can't believe people put up with this. It's so horribly,
Marcus> outrageously broken. Now, I know that there are those that
Nobody uses UDP out there for anything other than DNS.
And the DNS folks went to great lengths to make sure that
fragmentation wouldn't occur unless all ends were agreeable (EDNS0).
Marcus> In the absence of app-layer fragmentation in IKE, how am I
Marcus> supposed to support larger (2048-bit) certificates?
Visit PKI4IPSEC.
Do not send in-line certificates. Get them from HTTP or LDAP.
(even if the HTTP is running on the client's computer...)
I've suggested application layer fragmentation for IKEv2.
- --
] Michael Richardson Xelerance Corporation, Ottawa, ON | firewalls [
] mcr @ xelerance.com Now doing IPsec training, see |net architect[
] http://www.sandelman.ca/mcr/ www.xelerance.com/training/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys
iQCVAwUBQii75IqHRg3pndX9AQFfRgP/U+b1FbA+1Q2iBAibIL4UP4sCmFvnSiDs
sUy8z4IimbA73risxtHzFU1aLdp/nzOpYQfOi2X33aDn4DyOhGifHsFm4kplRSIP
GYMv/OdTgpP7ektkcEqO7kl0yGpFlK4O/9IotZQmvFUni1USaBU8D6aGlehceBK3
mGYrtUwXt34=
=lk5G
-----END PGP SIGNATURE-----
More information about the Users
mailing list