'Re: Cisco <-> FreeBSD IP tunnels'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freebsd-isp
Subject:    Re: Cisco <-> FreeBSD IP tunnels
From:       Rowan Crowe <rowan () sensation ! net ! au>
Date:       2001-05-25 2:23:03
[Download RAW message or body]

On Fri, 25 May 2001, Rowan Crowe wrote:

> Hello,
> 
> I'm having a problem with Cisco NOS style tunnels, running the iptunnel.c
> program at the FreeBSD end. It seems you can't configure the MTU on the
> Cisco, so the effective MTU ends up being 1480 bytes (1500 minus 20 bytes
> encapsulation overhead). This is causing BIG problems with MTU path
> discovery, and web sites that support PMTU but have a firewall somewhere
> blocking more ICMP than it should.

This sentence pretty much sums it up:

"However, increasing the tunnel MTU isn't feasible if the links over which
the tunnel packets are sent are smaller than 1500 bytes, because the DF
bit of the original packet is copied to the tunnel packet header. In this
scenario, the router can encapsulate the original packet, but can't
fragment the tunnel packet, since the DF bit is set."

As long as the Cisco copies the DF bit in the header of the original
packet, to the DF bit of the encapsulated header packet, its tunnel will
always be limited to an MTU of 20 lower than the interface it is going out
(and in practical terms, all other links to the destination).

FreeBSD's tunnel program seems to be quite happy to turn a 1500 byte
packet into an encapsulated packet of 1520, which is then fragmented by
the kernel into 2 packets as it passes over ethernet, and comes out of the
tunnel as an *intact* 1500 byte packet. The fragmentation is 'outside' the
tunnel, and is effectively seamless to each end. With a Cisco, the 1500
byte packet is fragmented *before* it enters the tunnel (due to 1480 MTU),
and will leave the tunnel as 2 fragments also. If the DF bit is set, then
the packet does not enter the tunnel at all (it's dropped) and an ICMP
"need to frag - MTU 1480" message is sent. This annoying behaviour would
be non existent if the DF bit was not copied over to the encapsulated
header...

The only solution I can think of at the moment is to find something which
will encapsulate a 1500 byte packet properly, possibly FreeBSD to
FreeBSD... it's messy though, since it's not my network at the other end.

Cheers.


--
Rowan Crowe                              http://www.rowan.sensation.net.au/
Sensation Internet Services                   http://info.sensation.net.au/
Melbourne, Australia                                 Phone: +61-3-9329-5498



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic