Date: Thu, 2 Mar 2023 20:45:35 +0300 From: Victor Gamov <vitspec@gmail.com> To: Alexander Chernikov <melifaro@freebsd.org> Cc: freebsd-net <freebsd-net@freebsd.org> Subject: Re: ECMP, DF-bit and ICMP "Fragmentation needed" Message-ID: <CAPOOyvkRswW3bm5AQ%2B8O-ksunnsKJJJS8qgQT7pYM1JUspxr%2BQ@mail.gmail.com> In-Reply-To: <D6B018C6-C3CF-41FB-9EF5-EAECA63ECB1F@freebsd.org> References: <CAPOOyvkdnfotpEHwWYfRBUfmLmF9-eBLHWU-LOJnDVSBy_S4_A@mail.gmail.com> <D6B018C6-C3CF-41FB-9EF5-EAECA63ECB1F@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] On Mon, 27 Feb 2023 at 13:57, Alexander Chernikov <melifaro@freebsd.org> wrote: > > > > On 26 Feb 2023, at 12:07, Victor Gamov <vitspec@gmail.com> wrote: > > > > Hi All > > > > I have following scheme: > > - LAN segment 10.5.8.0/24 with router1 (10.5.8.1) and MTU=1500 > > - two hosts at LAN segment host21 (10.5.8.21) and host22 (10.5.8.22) > > - host21 and host22 has VIP=172.16.110.30 configured as LAN-interface > alias > > - host21 and host22 ha BGP peering with router1 and announce VIP to > router1 > > - hostX somewhere at intranet > > - ipsec-tunnel with MTU=1400 > > > > ECMP works fine and traffic from other segments to VIP is balanced > between host21+host22 by router1. > > > > The problem is: > > when host21 and/or host22 send large packet with DF-bit using VIP as > source then ipsec-router sends ICMP "Fragmentation needed" and then this > ICMP is _always_ sent to only host22 by router1. > > > > I think it may be hard or impossible to find proper VIP-owner to send > this ICMP. Is it possible to propagate such ICMP to all VIP-owners in > router1 routing-table? Or may some data from ICMP message be used to > properly calculate ECMP-hash to find a real VIP-owner which must receive > this ICMP? > Generally it’s pretty hard to do. The path may go through the multiple > routers which has it own hash calculation + seed to avoid the traffic > polarisation. Personally I’d suggest doing some sort of ICMP replication on > either the source node or the hosts. > Hi Alexander! Thanks for your reply. In my scheme router1 can replicate such ICMP to all VIP-owners. And only router1 knows about both host21+host22 peers -- for all other network devices this VIP is behind router1. -- CU, Victor Gamov [-- Attachment #2 --] <div dir="ltr"><div dir="ltr"><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, 27 Feb 2023 at 13:57, Alexander Chernikov <<a href="mailto:melifaro@freebsd.org" target="_blank">melifaro@freebsd.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><br> <br> > On 26 Feb 2023, at 12:07, Victor Gamov <<a href="mailto:vitspec@gmail.com" target="_blank">vitspec@gmail.com</a>> wrote:<br> > <br> > Hi All<br> > <br> > I have following scheme:<br> > - LAN segment <a href="http://10.5.8.0/24" rel="noreferrer" target="_blank">10.5.8.0/24</a> with router1 (10.5.8.1) and MTU=1500<br> > - two hosts at LAN segment host21 (10.5.8.21) and host22 (10.5.8.22)<br> > - host21 and host22 has VIP=172.16.110.30 configured as LAN-interface alias<br> > - host21 and host22 ha BGP peering with router1 and announce VIP to router1<br> > - hostX somewhere at intranet<br> > - ipsec-tunnel with MTU=1400<br> > <br> > ECMP works fine and traffic from other segments to VIP is balanced between host21+host22 by router1.<br> > <br> > The problem is:<br> > when host21 and/or host22 send large packet with DF-bit using VIP as source then ipsec-router sends ICMP "Fragmentation needed" and then this ICMP is _always_ sent to only host22 by router1.<br> > <br> > I think it may be hard or impossible to find proper VIP-owner to send this ICMP. Is it possible to propagate such ICMP to all VIP-owners in router1 routing-table? Or may some data from ICMP message be used to properly calculate ECMP-hash to find a real VIP-owner which must receive this ICMP?<br> Generally it’s pretty hard to do. The path may go through the multiple routers which has it own hash calculation + seed to avoid the traffic polarisation. Personally I’d suggest doing some sort of ICMP replication on either the source node or the hosts.<br clear="all"></blockquote><div><br></div><div>Hi Alexander!</div><div><br></div><div>Thanks for your reply. <br></div><div><br></div><div>In my scheme router1 can replicate such ICMP to all VIP-owners. And only router1 knows about both host21+host22 peers -- for all other network devices this VIP is behind router1.</div></div><br>-- <br><div dir="ltr">CU,<br>Victor Gamov</div></div>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAPOOyvkRswW3bm5AQ%2B8O-ksunnsKJJJS8qgQT7pYM1JUspxr%2BQ>