Date: Mon, 23 May 2005 09:07:55 -0500 From: dave baukus <dbaukus@chiaro.com> To: Jeremie Le Hen <jeremie@le-hen.org> Cc: freebsd-net@freebsd.org Subject: Re: ICMP need to frag Message-ID: <4291E3BB.8030207@chiaro.com> In-Reply-To: <20050522232847.GL850@obiwan.tataz.chchile.org> References: <20050522201748.GJ850@obiwan.tataz.chchile.org> <20050522232847.GL850@obiwan.tataz.chchile.org>
next in thread | previous in thread | raw e-mail | index | archive | help
>
>
> I forgot to tell that I don't have any firewall rule on the ssh server,
> and net.inet.tcp.path_mtu_discovery is set to 1.
>
> A few more questions :
> - Why does ssh set the Dont-Fragment bit ? This is maybe usual
> in today TCP/IP communications, as Path MTU Discovery slowly
> replaced fragmentation.
TCP always sets don't frag:
/*
* If we do path MTU discovery, then we set DF on every packet.
* This might not be the best thing to do according to RFC3390
* Section 2. However the tcp hostcache migitates the problem
* so it affects only the first tcp connection with a host.
*/
if (path_mtu_discovery)
ip->ip_off |= IP_DF;
You can turn it off via this sysctl:
int path_mtu_discovery = 1;
SYSCTL_INT(_net_inet_tcp, OID_AUTO, path_mtu_discovery, CTLFLAG_RW,
&path_mtu_discovery, 1, "Enable Path MTU Discovery");
>
> - Why does Path MTU Discovery doesn't work here ? I'm pretty
> sure that the ICMP Need-To-Frag packets are not filtered since
> I am able to see them outgoing from the Ethernet network card
> on the RELENG_4 router.
>
Does SSH use IPSEC AH ?
Just guessing here, but maybe the problems is (from icmp_input()):
/*
* XXX if the packet contains [IPv4 AH TCP], we can't make a
* notification to TCP layer.
*/
ctlfunc = inetsw[ip_protox[icp->icmp_ip.ip_p]].pr_ctlinput;
if (ctlfunc)
(*ctlfunc)(code, (struct sockaddr *)&icmpsrc,
(void *)&icp->icmp_ip);
--
Dave Baukus
dbaukus@chiaro.com
Chiaro Networks Ltd.
Richardson, Texas
USA
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4291E3BB.8030207>