Page MenuHomeFreeBSD
Differential D31771

ipsec: Add support for PMTUD for IPv6 tunnels
ClosedPublic
Actions

Authored by bag_semihalf.com on Sep 1 2021, 11:45 AM.
Tags
None
Referenced Files
Unknown Object (File)
Sun, Apr 21, 10:12 PM
Unknown Object (File)
Sun, Apr 21, 10:12 PM
Unknown Object (File)
Sun, Apr 21, 10:12 PM
Unknown Object (File)
Sun, Apr 21, 9:39 PM
Unknown Object (File)
Sun, Apr 21, 5:15 PM
Unknown Object (File)
Sun, Apr 21, 5:15 PM
Unknown Object (File)
Sat, Apr 20, 7:26 AM
Unknown Object (File)
Sun, Apr 7, 4:43 PM
View All 42 Files
Subscribers
2khramtsov_gmail.com
bz
dgr_semihalf.com
kd
melifaro

Details

Reviewers
mw
wma
tuexen
ae
Group Reviewers
transport
Commits
rG9dfc8606eb80: ipsec: Add support for PMTUD for IPv6 tunnels
Summary

Discard and send ICMPv6 Packet Too Big to sender when we try to encapsulate
and forward a packet which total length exceeds the PMTU.
Logic is based on the IPv4 implementation.
Common code was moved to a separate function.

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

bag_semihalf.com created this revision.Sep 1 2021, 11:45 AM
Herald added a subscriber: melifaro. · View Herald TranscriptSep 1 2021, 11:45 AM
bag_semihalf.com requested review of this revision.Sep 1 2021, 11:45 AM
bag_semihalf.com added a parent revision: D31770: ipsec: If no PMTU in hostcache assume it's equal to link's MTU.
bz added a subscriber: bz.Sep 1 2021, 12:40 PM
bz added inline comments.
sys/netipsec/ipsec_output.c
747

I may not have read the full logic and by description cannot fully follow either which exact case we handle here these days.
Can we possibly in any case send an ICMP6 PTB here out unencrypted anywhere with data which previously came from an encrypted session?
For a long time this has been a serious concern when sending PTB related to IPsec to leak any previously encrypted data back as that opens up to possible attack vectors.

2khramtsov_gmail.com added a subscriber: 2khramtsov_gmail.com.Sep 1 2021, 1:14 PM
bag_semihalf.com added inline comments.Sep 2 2021, 11:46 AM
sys/netipsec/ipsec_output.c
747

This isn’t the case here. When a tunnel gateway receives ICMPv6 PTB (which contains encrypted data), a new PMTU is recorded in the host cache and that’s it, the packet is discarded. We do try not forward this ICMPv6 message to the original sender.
After that when we try to forward a new incoming packet with ip6_forward function, it is handed to IPsec for encryption and there we call
ipsec6_check_pmtu. Here, if we detect that a packet is exceeding the PMTU, we notify the sender with a new PMTU and discard the packet.
The line you are referring to, sends ICMPv6 PTB to its original sender, when we detect that the packet is exceeding the PMTU stored to the host cache. This results in both packets being dropped, and only the second is being sent in the ICMPv6 unencrypted and only to its original sender.

This revision was not accepted when it landed; it landed in state Needs Review.Sep 24 2021, 8:31 AM
Closed by commit rG9dfc8606eb80: ipsec: Add support for PMTUD for IPv6 tunnels (authored by bag_semihalf.com, committed by wma). · Explain Why
This revision was automatically updated to reflect the committed changes.
wma added a commit: rG9dfc8606eb80: ipsec: Add support for PMTUD for IPv6 tunnels.

Revision Contents
Changeset List

PathSize
sys/
netipsec/
1 line
166 lines

Diff 95613

View Options

sys/netipsec/ipsec6.h

Loading...
View Options

sys/netipsec/ipsec_output.c

Loading...