From nobody Sun Feb 26 12:07:22 2023 X-Original-To: freebsd-net@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4PPj7D0n3Tz3tGWg for ; Sun, 26 Feb 2023 12:07:36 +0000 (UTC) (envelope-from vitspec@gmail.com) Received: from mail-vs1-xe2a.google.com (mail-vs1-xe2a.google.com [IPv6:2607:f8b0:4864:20::e2a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4PPj7B5ZJRz3HhB for ; Sun, 26 Feb 2023 12:07:34 +0000 (UTC) (envelope-from vitspec@gmail.com) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20210112 header.b=WlzMhcbT; spf=pass (mx1.freebsd.org: domain of vitspec@gmail.com designates 2607:f8b0:4864:20::e2a as permitted sender) smtp.mailfrom=vitspec@gmail.com; dmarc=pass (policy=none) header.from=gmail.com Received: by mail-vs1-xe2a.google.com with SMTP id s1so6752878vsk.5 for ; Sun, 26 Feb 2023 04:07:34 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=EwPYwewklk8f6wMSh3Uw+E+bsKDQUYlBNuSbjYgOvYQ=; b=WlzMhcbT23KEAD3fGumt45Vgk0C5i5oOZ7Klkxl/C+4zoS2fEmDwPd0MtqMAxl33G+ uDzp+OeK17OULpT7BrHO7dxOyLtjy16PYhb5ZjxWGs3Hu8K/NRTjjDzOfOhOcPZ6qtoj 3IGX/XA7IsYdJy4www+TjttndEDBeOCkNKqs07BQpW2zxnOBa5lUGNZnE+Jxnmr55TqL MAFC2OwvsJWisUiCJbo6qPMyfwUE2X/8iPcDgFnHTj5pL+dH035AekCoexI0UbZ46zDQ +Q95LIGSAIllBVWx1IZ089FRBRGrZcm957re6l2rvdhZFSsfB6hZc+IjZ0yfgxQXaibE cJiQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=EwPYwewklk8f6wMSh3Uw+E+bsKDQUYlBNuSbjYgOvYQ=; b=IIm0iJSsK0DHW5kGY9tRJJUQI7dCkl0ElktwaOP4x9xoHXbRePD6pv49kH5loWWW+O E6n0PjInyouQXHjTP7q/os1vSwRmwCKimsAQM6Y+X2yhRiN9kA8UvUGLfyZrkd9b0WIz sBK7Yxh2vyG9duoysEOscX4oGkQ5W7HfwXF3wmxVBSfwYUS2iUnORpTxZD4WX0xSzXzM 2YSahe9Ud6ZZc+NiqxKXcF4Aq96hJ88ZUCzcOvgT3ZYYDjcJb+lJ7rX6TavahzKTCL1+ I0kWsTrRNuW2dSPY/m+JIrgI0of4nWcoVVm2k6rfmjD+sOylORz9NU0VcHscYIJTOiK4 k1Sg== X-Gm-Message-State: AO0yUKUtJQhOPGMPAnROOuUnQsPtZcIyUtD9hleLug1+49nkLwaW+N/w 9tI+H0OfBJFXkEfDv/n2o57G97ckWbPzoElSaVEgFxWTNnc= X-Google-Smtp-Source: AK7set+mpdlT//pCrzSfMFF1QIODvmPs6DjUto2F6pjo1dVQIhPdqpUhXKbt+inMuqdDj2b/Xk943Tup35Zy626bkns= X-Received: by 2002:ab0:53d5:0:b0:68a:5c52:7f2b with SMTP id l21-20020ab053d5000000b0068a5c527f2bmr8291689uaa.1.1677413253386; Sun, 26 Feb 2023 04:07:33 -0800 (PST) List-Id: Networking and TCP/IP with FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-net List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-net@freebsd.org MIME-Version: 1.0 From: Victor Gamov Date: Sun, 26 Feb 2023 15:07:22 +0300 Message-ID: Subject: ECMP, DF-bit and ICMP "Fragmentation needed" To: freebsd-net@freebsd.org Content-Type: multipart/alternative; boundary="0000000000001c165f05f5993516" X-Spamd-Result: default: False [-0.45 / 15.00]; HTTP_TO_IP(1.00)[]; URI_COUNT_ODD(1.00)[1]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_LONG(-0.99)[-0.991]; NEURAL_SPAM_SHORT(0.54)[0.536]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20210112]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; TO_MATCH_ENVRCPT_ALL(0.00)[]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::e2a:from]; PREVIOUSLY_DELIVERED(0.00)[freebsd-net@freebsd.org]; FREEMAIL_FROM(0.00)[gmail.com]; ARC_NA(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim]; DKIM_TRACE(0.00)[gmail.com:+]; MID_RHS_MATCH_FROMTLD(0.00)[]; TO_DN_NONE(0.00)[]; MLMMJ_DEST(0.00)[freebsd-net@freebsd.org]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; FREEMAIL_ENVFROM(0.00)[gmail.com]; RCVD_COUNT_TWO(0.00)[2] X-Rspamd-Queue-Id: 4PPj7B5ZJRz3HhB X-Spamd-Bar: / X-ThisMailContainsUnwantedMimeParts: N --0000000000001c165f05f5993516 Content-Type: text/plain; charset="UTF-8" Hi All I have following scheme: - LAN segment 10.5.8.0/24 with router1 (10.5.8.1) and MTU=1500 - two hosts at LAN segment host21 (10.5.8.21) and host22 (10.5.8.22) - host21 and host22 has VIP=172.16.110.30 configured as LAN-interface alias - host21 and host22 ha BGP peering with router1 and announce VIP to router1 - hostX somewhere at intranet - ipsec-tunnel with MTU=1400 ECMP works fine and traffic from other segments to VIP is balanced between host21+host22 by router1. The problem is: when host21 and/or host22 send large packet with DF-bit using VIP as source then ipsec-router sends ICMP "Fragmentation needed" and then this ICMP is _always_ sent to only host22 by router1. I think it may be hard or impossible to find proper VIP-owner to send this ICMP. Is it possible to propagate such ICMP to all VIP-owners in router1 routing-table? Or may some data from ICMP message be used to properly calculate ECMP-hash to find a real VIP-owner which must receive this ICMP? Thanks! -- CU, Victor Gamov --0000000000001c165f05f5993516 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi All

I have following sche= me:
- LAN segment 10.5.8.0/24 with router1 (10.5.8.1) and MTU=3D1500
- tw= o hosts at LAN segment host21 (10.5.8.21) and host22 (10.5.8.22)
= - host21 and host22 has VIP=3D172.16.110.30 configured as LAN-interface ali= as
- host21 and host22 ha BGP peering with router1 and announ= ce VIP to router1
- hostX somewhere at intranet
- i= psec-tunnel with MTU=3D1400

ECMP works fine an= d traffic from other segments to VIP is balanced between host21+host22 by r= outer1.

The problem is:
when host21 and/or host22 send large packet with DF-bit using VIP as source=20 then ipsec-router sends ICMP "Fragmentation needed" and then this= ICMP=20 is _always_ sent to only host22 by router1.

I=20 think it may be hard or impossible to find proper VIP-owner to send this ICMP.=C2=A0 Is it possible to propagate such ICMP to all VIP-owners in=20 router1 routing-table? Or may some data from ICMP message be used to=20 properly calculate ECMP-hash to find a real VIP-owner which must receive this ICMP?


Thanks!


--
CU,
Victor Gamo= v
--0000000000001c165f05f5993516--