Received: by 2002:a05:6a10:9afc:0:0:0:0 with SMTP id t28csp438336pxm; Wed, 23 Feb 2022 03:52:36 -0800 (PST) X-Google-Smtp-Source: ABdhPJzRmGnxcRx0mkkTMms2axgKVKsC4EXSOh+1oVb2lR9Y6pAG900VcmrNHuWNBpdSYDkhhwX3 X-Received: by 2002:a05:6402:2922:b0:40f:7241:74d4 with SMTP id ee34-20020a056402292200b0040f724174d4mr31400659edb.43.1645617155856; Wed, 23 Feb 2022 03:52:35 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1645617155; cv=none; d=google.com; s=arc-20160816; b=HEAlDfMEntoP0vMWi6UyRESoPx8TWNPjvOHflVEOBCRGorJSUqA8KUDs0zGux4I05Y u/1HaqFkvqFuNmSO83mroattF4BEWZyaCVsZ781BPYVid2GxTf2XeQRxnR+gXub6n9jB YJ9na2lgK7XgE9PkW/NKCDgpWb2jztyHZSlTIg8ASa4v3y4Ne+rQH1eFvXqjiPQFNQuK y+y9Yz/PtSoFbj1JtFY4nhgMKF5m2g0HeOVpx4buCIeHPoH3bUg4ozU9lavTGjxyhtjp xeWRAt8AtFd8d2shkhvuoG1nhZw9uLGH3Nf/ZWofgF08VWdfYc6eUzSZ1wSHnpOPTX4c CFKg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date; bh=S1tqfJa2uLyGOLkUlmodbMeau8wzQAMm2+kMEEbaElc=; b=eGmXFfV2XB9uRi/uyM4UU1V7GVAeRHfCZmih6U0nckHwwUd3wN988TIf34xIYp7VhH FcdTiZxkaYRZCRZj121CmnOmbkKEcLtOxEcny5wSjGs9fPqA2SSx1wLNasXNbnQASmZx D8UJ5RyFl2OK7H8orUk21Aumw9yVDytP93cxgwkz6FOTovNRMn8E1dJyKWNeBizCFk3Z bqFJ6uj4cMAO4oaJUkIUUDOV9Fj1LNTnyHH3cxVq7dY8D3zghdQusSJRCH3InifbRATA bZ3eO1d2jTRIol2PMVnvooBqm1T8lEN7ZCreyGq8Kiy19I6vL6J7eRZPVk3oLoObs85m WcSQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id s9si16397263edd.23.2022.02.23.03.52.12; Wed, 23 Feb 2022 03:52:35 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S238978AbiBWIc1 (ORCPT + 99 others); Wed, 23 Feb 2022 03:32:27 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42386 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234121AbiBWIcZ (ORCPT ); Wed, 23 Feb 2022 03:32:25 -0500 Received: from a.mx.secunet.com (a.mx.secunet.com [62.96.220.36]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4CC4147546; Wed, 23 Feb 2022 00:31:58 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by a.mx.secunet.com (Postfix) with ESMTP id AD40A20533; Wed, 23 Feb 2022 09:31:56 +0100 (CET) X-Virus-Scanned: by secunet Received: from a.mx.secunet.com ([127.0.0.1]) by localhost (a.mx.secunet.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XOpYCDlDAmvR; Wed, 23 Feb 2022 09:31:56 +0100 (CET) Received: from mailout1.secunet.com (mailout1.secunet.com [62.96.220.44]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by a.mx.secunet.com (Postfix) with ESMTPS id 1903220501; Wed, 23 Feb 2022 09:31:56 +0100 (CET) Received: from cas-essen-01.secunet.de (unknown [10.53.40.201]) by mailout1.secunet.com (Postfix) with ESMTP id 129F280004A; Wed, 23 Feb 2022 09:31:56 +0100 (CET) Received: from mbx-essen-01.secunet.de (10.53.40.197) by cas-essen-01.secunet.de (10.53.40.201) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.18; Wed, 23 Feb 2022 09:31:55 +0100 Received: from gauss2.secunet.de (10.182.7.193) by mbx-essen-01.secunet.de (10.53.40.197) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.18; Wed, 23 Feb 2022 09:31:55 +0100 Received: by gauss2.secunet.de (Postfix, from userid 1000) id 51EF73180FB1; Wed, 23 Feb 2022 09:31:55 +0100 (CET) Date: Wed, 23 Feb 2022 09:31:55 +0100 From: Steffen Klassert To: Lina Wang CC: Herbert Xu , "David S . Miller" , Hideaki YOSHIFUJI , "David Ahern" , Jakub Kicinski , "Matthias Brugger" , , , Subject: Re: [PATCH] xfrm: fix tunnel model fragmentation behavior Message-ID: <20220223083155.GM17351@gauss3.secunet.de> References: <20220221051648.22660-1-lina.wang@mediatek.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Disposition: inline In-Reply-To: <20220221051648.22660-1-lina.wang@mediatek.com> X-ClientProxiedBy: cas-essen-01.secunet.de (10.53.40.201) To mbx-essen-01.secunet.de (10.53.40.197) X-EXCLAIMER-MD-CONFIG: 2c86f778-e09b-4440-8b15-867914633a10 X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_NONE, SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Feb 21, 2022 at 01:16:48PM +0800, Lina Wang wrote: > in tunnel mode, if outer interface(ipv4) is less, it is easily to let > inner IPV6 mtu be less than 1280. If so, a Packet Too Big ICMPV6 message > is received. When send again, packets are fragmentized with 1280, they > are still rejected with ICMPV6(Packet Too Big) by xfrmi_xmit2(). > > According to RFC4213 Section3.2.2: > if (IPv4 path MTU - 20) is less than 1280 > if packet is larger than 1280 bytes > Send ICMPv6 "packet too big" with MTU = 1280. > Drop packet. > else > Encapsulate but do not set the Don't Fragment > flag in the IPv4 header. The resulting IPv4 > packet might be fragmented by the IPv4 layer > on the encapsulator or by some router along > the IPv4 path. > endif > else > if packet is larger than (IPv4 path MTU - 20) > Send ICMPv6 "packet too big" with > MTU = (IPv4 path MTU - 20). > Drop packet. > else > Encapsulate and set the Don't Fragment flag > in the IPv4 header. > endif > endif > Packets should be fragmentized with ipv4 outer interface, so change it. > > After it is fragemtized with ipv4, there will be double fragmenation. > No.48 & No.51 are ipv6 fragment packets, No.48 is double fragmentized, > then tunneled with IPv4(No.49& No.50), which obey spec. And received peer > cannot decrypt it rightly. > > 48 2002::10 2002::11 1296(length) IPv6 fragment (off=0 more=y ident=0xa20da5bc nxt=50) > 49 0x0000 (0) 2002::10 2002::11 1304 IPv6 fragment (off=0 more=y ident=0x7448042c nxt=44) > 50 0x0000 (0) 2002::10 2002::11 200 ESP (SPI=0x00035000) > 51 2002::10 2002::11 180 Echo (ping) request > 52 0x56dc 2002::10 2002::11 248 IPv6 fragment (off=1232 more=n ident=0xa20da5bc nxt=50) > > esp_noneed_fragment has fixed above issues. Finally, it acted like below: > 1 0x6206 192.168.1.138 192.168.1.1 1316 Fragmented IP protocol (proto=Encap Security Payload 50, off=0, ID=6206) [Reassembled in #2] > 2 0x6206 2002::10 2002::11 88 IPv6 fragment (off=0 more=y ident=0x1f440778 nxt=50) > 3 0x0000 2002::10 2002::11 248 ICMPv6 Echo (ping) request > > Signed-off-by: Lina Wang Can you please add a 'Fixes' tag? > --- > net/ipv6/xfrm6_output.c | 16 ++++++++++++++++ > net/xfrm/xfrm_interface.c | 5 ++++- > 2 files changed, 20 insertions(+), 1 deletion(-) > > diff --git a/net/ipv6/xfrm6_output.c b/net/ipv6/xfrm6_output.c > index d0d280077721..ab4384e22b4f 100644 > --- a/net/ipv6/xfrm6_output.c > +++ b/net/ipv6/xfrm6_output.c > @@ -45,6 +45,19 @@ static int __xfrm6_output_finish(struct net *net, struct sock *sk, struct sk_buf > return xfrm_output(sk, skb); > } > > +static int esp_noneed_fragment(struct sk_buff *skb) > +{ > + struct frag_hdr *fh; > + u8 prevhdr = ipv6_hdr(skb)->nexthdr; > + > + if (prevhdr != NEXTHDR_FRAGMENT) > + return 0; > + fh = (struct frag_hdr *)(skb->data + sizeof(struct ipv6hdr)); > + if (fh->nexthdr == NEXTHDR_ESP) > + return 1; Shouldn't this problem exist for NEXTHDR_AUTH too?