Date: Mon, 23 May 2005 01:28:47 +0200 From: Jeremie Le Hen <jeremie@le-hen.org> To: freebsd-net@FreeBSD.org Subject: Re: ICMP need to frag Message-ID: <20050522232847.GL850@obiwan.tataz.chchile.org> In-Reply-To: <20050522201748.GJ850@obiwan.tataz.chchile.org> References: <20050522201748.GJ850@obiwan.tataz.chchile.org>
next in thread | previous in thread | raw e-mail | index | archive | help
> I try to connect to my RELENG_5 box through an IPsec tunnel whose MTU > is 1260. > > CURRENT -------- [[ RELENG_5 ------- RELENG_4 ]] -------- RELENG_5 > (client) Ethernet IPSec Ethernet (server) > (1500) (1260) (1500) > > > The attached tcpdump trace comes from the Ethernet side of the RELENG_4 > router. I simply don't understand why the RELENG_5 ssh server doesn't > take care of the ICMP need to frag packet. > FYI, this trace is a screen reattachement through ssh which hangs during > the screen refresh. After about ten seconds, I broke the ssh session > with ~. . I forgot to tell that I don't have any firewall rule on the ssh server, and net.inet.tcp.path_mtu_discovery is set to 1. A few more questions : - Why does ssh set the Dont-Fragment bit ? This is maybe usual in today TCP/IP communications, as Path MTU Discovery slowly replaced fragmentation. - Why does Path MTU Discovery doesn't work here ? I'm pretty sure that the ICMP Need-To-Frag packets are not filtered since I am able to see them outgoing from the Ethernet network card on the RELENG_4 router. Best regards, -- Jeremie Le Hen < jeremie at le-hen dot org >< ttz at chchile dot org >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050522232847.GL850>