From nobody Mon Feb 27 10:56:48 2023 X-Original-To: freebsd-net@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4PQHWK3QRpz3ty7w for ; Mon, 27 Feb 2023 10:57:01 +0000 (UTC) (envelope-from melifaro@freebsd.org) Received: from smtp.freebsd.org (smtp.freebsd.org [IPv6:2610:1c1:1:606c::24b:4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4PQHWK2wwZz4Gfb; Mon, 27 Feb 2023 10:57:01 +0000 (UTC) (envelope-from melifaro@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1677495421; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=pDmKDQzhknSWmG8pm7Z13BWo0P4ItiM8GpUrXN4KFAU=; b=Gf/1/3BzZsO0kqPuOgXCKIwbIXBLUqy/iKKdW4nXxQTU2xoCzN9YoKC8bd4gJna+50PUxY +iozZB/lyFVl/obGSCCNgqDTaN29shduq2u+r8FfvGAVtgl4A70VOh0BvKxgK6u3/hZzWD WR01ajgz1Jftlmi8EwSG+tlOfBgSAxeWtZlYk/obQIHookzgh1ZiZL9K9eti9GXNRyOJQU mhPfeeU2blxd/lEC3tx8mrL+Nl+4jPcd7qLRFYNIz1KjLr3oLBcWRR6SX59bYwddxqeGVn rfoQZd+F8W0ixH7x8C01TTYwqYurKpuzrQwAurEtgtQDibNVuKgHX9L6R9oMOA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1677495421; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=pDmKDQzhknSWmG8pm7Z13BWo0P4ItiM8GpUrXN4KFAU=; b=e81u4wKx55emBmsYFXY8d9oC3kkTUvfne0VO0g+MEWRYuXyyl9eM5JTfFaLQscOoA0dBru WhDbkN3X8ImzgFCEyzaS3u9cZRcx8z4H8WZEiXe0ecUpltBRDbE5oK480z6eCf758hqowb rTdWmYteLcl/JJdOiAz3kGfhHrvW1PecrsC9Sd3QhJOkOE/0U9xpogCgS1jBzofC8ETJZa N48UdDVHP9sZLcEUpW+mAJvsQZJUjfww3LCQcIy3p4qlL1asFFDAYaC3FbfAskXDHxhpKt yQHSQzlKHQLAE3PrfpdIQbarLB/EeZpx+WbT2VAZrwXyTU5yFeBDVVCJ+whPgg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1677495421; a=rsa-sha256; cv=none; b=theskSU1Og4xlmVJWs4gt3C1Ph8vsai5JdGHsAEAF3YsT4VC3h1SmJTmCjrYXid98aUftf giiM0bdtOPYKgUwWfR525oDtnPbFfSlT/BuMjES9GV++invpjEXXIMPoy8HsSKRcA32IR+ xyI3tPRbYiVdUEInQwbGqT6Ur+jSlgfxKe32y6LPKlvZpHk+bT5sIlo8g7dwsPEBz7R52P OdnWPr9MAzvO8s0L2a+IApuoXni8OK4405iRVtJh+tb5uIO7mPHQc2mpiyyuqgjK5/xsD0 98X98x3Y0VuYUqCPW1bCKlJFI1BRwUr/JoIoGJGGMmKdh8ho2vs4pnwF/h61ug== Received: from smtpclient.apple (unknown [IPv6:2a02:8084:d6bb:510:a5e6:da38:4042:8220]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) (Authenticated sender: melifaro/mail) by smtp.freebsd.org (Postfix) with ESMTPSA id 4PQHWJ6n3hz12w5; Mon, 27 Feb 2023 10:57:00 +0000 (UTC) (envelope-from melifaro@freebsd.org) Content-Type: text/plain; charset=utf-8 List-Id: Networking and TCP/IP with FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-net List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-net@freebsd.org Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.400.51.1.1\)) Subject: Re: ECMP, DF-bit and ICMP "Fragmentation needed" From: Alexander Chernikov In-Reply-To: Date: Mon, 27 Feb 2023 10:56:48 +0000 Cc: freebsd-net Content-Transfer-Encoding: quoted-printable Message-Id: References: To: Victor Gamov X-Mailer: Apple Mail (2.3731.400.51.1.1) X-ThisMailContainsUnwantedMimeParts: N > On 26 Feb 2023, at 12:07, Victor Gamov wrote: >=20 > Hi All >=20 > I have following scheme: > - LAN segment 10.5.8.0/24 with router1 (10.5.8.1) and MTU=3D1500 > - two hosts at LAN segment host21 (10.5.8.21) and host22 (10.5.8.22) > - host21 and host22 has VIP=3D172.16.110.30 configured as = LAN-interface alias > - host21 and host22 ha BGP peering with router1 and announce VIP to = router1 > - hostX somewhere at intranet > - ipsec-tunnel with MTU=3D1400 >=20 > ECMP works fine and traffic from other segments to VIP is balanced = between host21+host22 by router1. >=20 > The problem is: > when host21 and/or host22 send large packet with DF-bit using VIP as = source then ipsec-router sends ICMP "Fragmentation needed" and then this = ICMP is _always_ sent to only host22 by router1. >=20 > I think it may be hard or impossible to find proper VIP-owner to send = this ICMP. Is it possible to propagate such ICMP to all VIP-owners in = router1 routing-table? Or may some data from ICMP message be used to = properly calculate ECMP-hash to find a real VIP-owner which must receive = this ICMP? Generally it=E2=80=99s pretty hard to do. The path may go through the = multiple routers which has it own hash calculation + seed to avoid the = traffic polarisation. Personally I=E2=80=99d suggest doing some sort of = ICMP replication on either the source node or the hosts. >=20 >=20 > Thanks!th >=20 >=20 > --=20 > CU, > Victor Gamov