From owner-freebsd-net@FreeBSD.ORG Mon May 23 13:54:05 2005 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B144F16A424 for ; Mon, 23 May 2005 13:54:05 +0000 (GMT) (envelope-from dbaukus@chiaro.com) Received: from rchss002.chiaro.com (rchss002.chiaro.com [63.88.196.82]) by mx1.FreeBSD.org (Postfix) with ESMTP id 31ADE43D1F for ; Mon, 23 May 2005 13:54:05 +0000 (GMT) (envelope-from dbaukus@chiaro.com) Received: from rchst007.cus.chiaro.com ([192.168.8.120]) by rchss002.chiaro.com (8.12.11/8.12.11) with SMTP id j4NDpIV2024752; Mon, 23 May 2005 08:51:18 -0500 (CDT) (envelope-from dbaukus@chiaro.com) Received: from chiaro.com ([192.168.25.95]) by rchst007.cus.chiaro.com with Microsoft SMTPSVC(5.0.2195.6713); Mon, 23 May 2005 08:54:04 -0500 Message-ID: <4291E3BB.8030207@chiaro.com> Date: Mon, 23 May 2005 09:07:55 -0500 From: dave baukus Organization: Chiaro Networks User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.4) Gecko/20040414 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Jeremie Le Hen References: <20050522201748.GJ850@obiwan.tataz.chchile.org> <20050522232847.GL850@obiwan.tataz.chchile.org> In-Reply-To: <20050522232847.GL850@obiwan.tataz.chchile.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 23 May 2005 13:54:04.0120 (UTC) FILETIME=[E169B580:01C55F9E] Cc: freebsd-net@freebsd.org Subject: Re: ICMP need to frag X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 May 2005 13:54:05 -0000 > > > I forgot to tell that I don't have any firewall rule on the ssh server, > and net.inet.tcp.path_mtu_discovery is set to 1. > > A few more questions : > - Why does ssh set the Dont-Fragment bit ? This is maybe usual > in today TCP/IP communications, as Path MTU Discovery slowly > replaced fragmentation. TCP always sets don't frag: /* * If we do path MTU discovery, then we set DF on every packet. * This might not be the best thing to do according to RFC3390 * Section 2. However the tcp hostcache migitates the problem * so it affects only the first tcp connection with a host. */ if (path_mtu_discovery) ip->ip_off |= IP_DF; You can turn it off via this sysctl: int path_mtu_discovery = 1; SYSCTL_INT(_net_inet_tcp, OID_AUTO, path_mtu_discovery, CTLFLAG_RW, &path_mtu_discovery, 1, "Enable Path MTU Discovery"); > > - Why does Path MTU Discovery doesn't work here ? I'm pretty > sure that the ICMP Need-To-Frag packets are not filtered since > I am able to see them outgoing from the Ethernet network card > on the RELENG_4 router. > Does SSH use IPSEC AH ? Just guessing here, but maybe the problems is (from icmp_input()): /* * XXX if the packet contains [IPv4 AH TCP], we can't make a * notification to TCP layer. */ ctlfunc = inetsw[ip_protox[icp->icmp_ip.ip_p]].pr_ctlinput; if (ctlfunc) (*ctlfunc)(code, (struct sockaddr *)&icmpsrc, (void *)&icp->icmp_ip); -- Dave Baukus dbaukus@chiaro.com Chiaro Networks Ltd. Richardson, Texas USA