Date: Mon, 23 May 2005 09:07:55 -0500 From: dave baukus <dbaukus@chiaro.com> To: Jeremie Le Hen <jeremie@le-hen.org> Cc: freebsd-net@freebsd.org Subject: Re: ICMP need to frag Message-ID: <4291E3BB.8030207@chiaro.com> In-Reply-To: <20050522232847.GL850@obiwan.tataz.chchile.org> References: <20050522201748.GJ850@obiwan.tataz.chchile.org> <20050522232847.GL850@obiwan.tataz.chchile.org>
next in thread | previous in thread | raw e-mail | index | archive | help
> > > I forgot to tell that I don't have any firewall rule on the ssh server, > and net.inet.tcp.path_mtu_discovery is set to 1. > > A few more questions : > - Why does ssh set the Dont-Fragment bit ? This is maybe usual > in today TCP/IP communications, as Path MTU Discovery slowly > replaced fragmentation. TCP always sets don't frag: /* * If we do path MTU discovery, then we set DF on every packet. * This might not be the best thing to do according to RFC3390 * Section 2. However the tcp hostcache migitates the problem * so it affects only the first tcp connection with a host. */ if (path_mtu_discovery) ip->ip_off |= IP_DF; You can turn it off via this sysctl: int path_mtu_discovery = 1; SYSCTL_INT(_net_inet_tcp, OID_AUTO, path_mtu_discovery, CTLFLAG_RW, &path_mtu_discovery, 1, "Enable Path MTU Discovery"); > > - Why does Path MTU Discovery doesn't work here ? I'm pretty > sure that the ICMP Need-To-Frag packets are not filtered since > I am able to see them outgoing from the Ethernet network card > on the RELENG_4 router. > Does SSH use IPSEC AH ? Just guessing here, but maybe the problems is (from icmp_input()): /* * XXX if the packet contains [IPv4 AH TCP], we can't make a * notification to TCP layer. */ ctlfunc = inetsw[ip_protox[icp->icmp_ip.ip_p]].pr_ctlinput; if (ctlfunc) (*ctlfunc)(code, (struct sockaddr *)&icmpsrc, (void *)&icp->icmp_ip); -- Dave Baukus dbaukus@chiaro.com Chiaro Networks Ltd. Richardson, Texas USA
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4291E3BB.8030207>