ICMP need to frag
Jeremie Le Hen
jeremie at le-hen.org
Sun May 22 16:28:46 PDT 2005
> I try to connect to my RELENG_5 box through an IPsec tunnel whose MTU
> is 1260.
>
> CURRENT -------- [[ RELENG_5 ------- RELENG_4 ]] -------- RELENG_5
> (client) Ethernet IPSec Ethernet (server)
> (1500) (1260) (1500)
>
>
> The attached tcpdump trace comes from the Ethernet side of the RELENG_4
> router. I simply don't understand why the RELENG_5 ssh server doesn't
> take care of the ICMP need to frag packet.
> FYI, this trace is a screen reattachement through ssh which hangs during
> the screen refresh. After about ten seconds, I broke the ssh session
> with ~. .
I forgot to tell that I don't have any firewall rule on the ssh server,
and net.inet.tcp.path_mtu_discovery is set to 1.
A few more questions :
- Why does ssh set the Dont-Fragment bit ? This is maybe usual
in today TCP/IP communications, as Path MTU Discovery slowly
replaced fragmentation.
- Why does Path MTU Discovery doesn't work here ? I'm pretty
sure that the ICMP Need-To-Frag packets are not filtered since
I am able to see them outgoing from the Ethernet network card
on the RELENG_4 router.
Best regards,
--
Jeremie Le Hen
< jeremie at le-hen dot org >< ttz at chchile dot org >
More information about the freebsd-net
mailing list