[2905] in linux-net channel archive
IP masquerading and fragmentation
daemon@ATHENA.MIT.EDU (Nigel Metheringham)
Tue May 14 18:49:41 1996
To: Alan Cox <alan@cymru.net>
cc: linux-net@vger.rutgers.edu, masq@lists.indyramp.com
From: Nigel Metheringham <Nigel.Metheringham@theplanet.net>
In-reply-to: Your message of "Mon, 13 May 1996 09:07:50 BST."
<199605130807.JAA25509@snowcrash.cymru.net>
Date: Tue, 14 May 1996 17:26:37 +0100
I have been running some tests on the IP Masquerading stuff,
generally with reasonable results at present. However there is one
case that completely floors it...
The situation is:-
<A> a client box, with reasonable IP stack that does
(or attempts) MTU discovery - ie a Linux box
It communicates with the internet via...
<B> a Linux box acting as a masquerading router.
The private network is one side, with <A> on it,
the internet (by some means) on the other.
Now <A> is talking to some distant host (via <B>), and between <B>
and that host there is some router which has a low MTU. <A> starts
up the connection and attempts MTU discovery - <A> sends out a big
fat packet with DF (don't frag) set, the intermediate router will
have none of this, so sends back an ICMP saying the host is
unreachable, need to frag. However since <A> is masquerading via <B>
and the masquerade cannot handle ICMP packets, we are in a fix. <A>
keeps trying to send its MTU discovery packet, the router keeps
dropping the packet on the floor, and <B> drops the ICMP packet on
the floor.
So, whats the solution?
A bad solution that may well work would be to strip the DF flags from
packets passing through the masquerade (its also simple to do).
A better solution would be to process the ICMP packet in some way.
The only possibility would be that the ip_masquerade table was
searched for all hosts that were speaking to that target, and each of
those was sent a copy of the ICMP packet. This obviously has some
problems such as a proliferation of ICMP packets, and it appears that
the code to handle this would break the modularity of the ip code
very effectively!
Any comments, or even better some good ideas?
Nigel.
--
[ Nigel.Metheringham@theplanet.net - Unix Applications Engineer ]
[ *Views expressed here are personal and not supported by PLAnet* ]
[ PLAnet Online : The White House Tel : +44 113 2345566 x 612 ]
[ Melbourne Street, Leeds LS2 7PS UK. Fax : +44 113 2345656 ]
