Date: Mon, 23 May 2005 01:28:47 +0200 From: Jeremie Le Hen <jeremie@le-hen.org> To: freebsd-net@FreeBSD.org Subject: Re: ICMP need to frag Message-ID: <20050522232847.GL850@obiwan.tataz.chchile.org> In-Reply-To: <20050522201748.GJ850@obiwan.tataz.chchile.org> References: <20050522201748.GJ850@obiwan.tataz.chchile.org>
next in thread | previous in thread | raw e-mail | index | archive | help
> I try to connect to my RELENG_5 box through an IPsec tunnel whose MTU
> is 1260.
>
> CURRENT -------- [[ RELENG_5 ------- RELENG_4 ]] -------- RELENG_5
> (client) Ethernet IPSec Ethernet (server)
> (1500) (1260) (1500)
>
>
> The attached tcpdump trace comes from the Ethernet side of the RELENG_4
> router. I simply don't understand why the RELENG_5 ssh server doesn't
> take care of the ICMP need to frag packet.
> FYI, this trace is a screen reattachement through ssh which hangs during
> the screen refresh. After about ten seconds, I broke the ssh session
> with ~. .
I forgot to tell that I don't have any firewall rule on the ssh server,
and net.inet.tcp.path_mtu_discovery is set to 1.
A few more questions :
- Why does ssh set the Dont-Fragment bit ? This is maybe usual
in today TCP/IP communications, as Path MTU Discovery slowly
replaced fragmentation.
- Why does Path MTU Discovery doesn't work here ? I'm pretty
sure that the ICMP Need-To-Frag packets are not filtered since
I am able to see them outgoing from the Ethernet network card
on the RELENG_4 router.
Best regards,
--
Jeremie Le Hen
< jeremie at le-hen dot org >< ttz at chchile dot org >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050522232847.GL850>