kern/91412: Problem with PMTU Discovery / DF / IPSEC / GIF Tunnels

Nate Nielsen nielsen at memberwebs.com
Fri Jan 6 10:40:06 PST 2006 

>Number:         91412
>Category:       kern
>Synopsis:       Problem with PMTU Discovery / DF / IPSEC / GIF Tunnels
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Jan 06 18:40:04 GMT 2006
>Closed-Date:
>Last-Modified:
>Originator:     Nate Nielsen
>Release:        FreeBSD 6.0
>Organization:
>Environment:
FreeBSD northstar-link.ws.local 6.0-RELEASE FreeBSD 6.0-RELEASE #34: Tue Dec 13 00:40:26 UTC 2005 nate at mesh-master.ws.local:/usr/src/sys/i386/compile/NETSOEKRIS  i386

>Description:
I encountered a strange problem with PMTU discovery not working properly
on various machines when the packets were tunneled over a GIF / IPSEC
Transport type tunnel (both ends running FreeBSD 6.0). Configuration
files attached.

Various older FreeBSD systems (it seemed systems that had jails running)
and also Windows Virtual Machines running in Microsoft's Virtual Server
2005 system, did not perform PMTU discovery properly.

The FreeBSD 6.0 routers were sending out ICMP host-unreachable
need-fragment packets without an MTU hint. Most machines handle this
fine, but the ones noted above did not decrease PMTU for the connection.

The attached patch makes sure that the FreeBSD 6.0 router will include
an MTU hint in the ICMP packet. The problem was caused by the IPSec
lookup in ip_forward() returning an secpolicy pointer, but then that
pointer having no details (such as request, etc...) contained in it. The
attached patch (against 6.0) covers that eventuality.

The 'bug' is obviously in the machines that don't handle the missing MTU
hint properly, but since we can't patch Windows, this patch helps
alleviate the problem from the other side.
>How-To-Repeat:
Will attach configuration files in a follow-up.
>Fix:
Will attach patch in a follow-up.
>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-bugs mailing list