From owner-freebsd-net@FreeBSD.ORG Sun May 22 23:28:46 2005 Return-Path: X-Original-To: freebsd-net@FreeBSD.org Delivered-To: freebsd-net@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4CC8916A41C for ; Sun, 22 May 2005 23:28:46 +0000 (GMT) (envelope-from tataz@tataz.chchile.org) Received: from postfix4-1.free.fr (postfix4-1.free.fr [213.228.0.62]) by mx1.FreeBSD.org (Postfix) with ESMTP id E840343D5D for ; Sun, 22 May 2005 23:28:45 +0000 (GMT) (envelope-from tataz@tataz.chchile.org) Received: from tatooine.tataz.chchile.org (vol75-8-82-233-239-98.fbx.proxad.net [82.233.239.98]) by postfix4-1.free.fr (Postfix) with ESMTP id D9C00317BF0 for ; Mon, 23 May 2005 01:28:44 +0200 (CEST) Received: by tatooine.tataz.chchile.org (Postfix, from userid 1000) id DD92B4080; Mon, 23 May 2005 01:28:47 +0200 (CEST) Date: Mon, 23 May 2005 01:28:47 +0200 From: Jeremie Le Hen To: freebsd-net@FreeBSD.org Message-ID: <20050522232847.GL850@obiwan.tataz.chchile.org> References: <20050522201748.GJ850@obiwan.tataz.chchile.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20050522201748.GJ850@obiwan.tataz.chchile.org> User-Agent: Mutt/1.5.9i Cc: Subject: Re: ICMP need to frag X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 22 May 2005 23:28:46 -0000 > I try to connect to my RELENG_5 box through an IPsec tunnel whose MTU > is 1260. > > CURRENT -------- [[ RELENG_5 ------- RELENG_4 ]] -------- RELENG_5 > (client) Ethernet IPSec Ethernet (server) > (1500) (1260) (1500) > > > The attached tcpdump trace comes from the Ethernet side of the RELENG_4 > router. I simply don't understand why the RELENG_5 ssh server doesn't > take care of the ICMP need to frag packet. > FYI, this trace is a screen reattachement through ssh which hangs during > the screen refresh. After about ten seconds, I broke the ssh session > with ~. . I forgot to tell that I don't have any firewall rule on the ssh server, and net.inet.tcp.path_mtu_discovery is set to 1. A few more questions : - Why does ssh set the Dont-Fragment bit ? This is maybe usual in today TCP/IP communications, as Path MTU Discovery slowly replaced fragmentation. - Why does Path MTU Discovery doesn't work here ? I'm pretty sure that the ICMP Need-To-Frag packets are not filtered since I am able to see them outgoing from the Ethernet network card on the RELENG_4 router. Best regards, -- Jeremie Le Hen < jeremie at le-hen dot org >< ttz at chchile dot org >