ICMP need to frag
dave baukus
dbaukus at chiaro.com
Mon May 23 06:54:05 PDT 2005
>
>
> I forgot to tell that I don't have any firewall rule on the ssh server,
> and net.inet.tcp.path_mtu_discovery is set to 1.
>
> A few more questions :
> - Why does ssh set the Dont-Fragment bit ? This is maybe usual
> in today TCP/IP communications, as Path MTU Discovery slowly
> replaced fragmentation.
TCP always sets don't frag:
/*
* If we do path MTU discovery, then we set DF on every packet.
* This might not be the best thing to do according to RFC3390
* Section 2. However the tcp hostcache migitates the problem
* so it affects only the first tcp connection with a host.
*/
if (path_mtu_discovery)
ip->ip_off |= IP_DF;
You can turn it off via this sysctl:
int path_mtu_discovery = 1;
SYSCTL_INT(_net_inet_tcp, OID_AUTO, path_mtu_discovery, CTLFLAG_RW,
&path_mtu_discovery, 1, "Enable Path MTU Discovery");
>
> - Why does Path MTU Discovery doesn't work here ? I'm pretty
> sure that the ICMP Need-To-Frag packets are not filtered since
> I am able to see them outgoing from the Ethernet network card
> on the RELENG_4 router.
>
Does SSH use IPSEC AH ?
Just guessing here, but maybe the problems is (from icmp_input()):
/*
* XXX if the packet contains [IPv4 AH TCP], we can't make a
* notification to TCP layer.
*/
ctlfunc = inetsw[ip_protox[icp->icmp_ip.ip_p]].pr_ctlinput;
if (ctlfunc)
(*ctlfunc)(code, (struct sockaddr *)&icmpsrc,
(void *)&icp->icmp_ip);
--
Dave Baukus
dbaukus at chiaro.com
Chiaro Networks Ltd.
Richardson, Texas
USA
More information about the freebsd-net
mailing list