Date: Thu, 2 Mar 2023 20:45:35 +0300 From: Victor Gamov <vitspec@gmail.com> To: Alexander Chernikov <melifaro@freebsd.org> Cc: freebsd-net <freebsd-net@freebsd.org> Subject: Re: ECMP, DF-bit and ICMP "Fragmentation needed" Message-ID: <CAPOOyvkRswW3bm5AQ%2B8O-ksunnsKJJJS8qgQT7pYM1JUspxr%2BQ@mail.gmail.com> In-Reply-To: <D6B018C6-C3CF-41FB-9EF5-EAECA63ECB1F@freebsd.org> References: <CAPOOyvkdnfotpEHwWYfRBUfmLmF9-eBLHWU-LOJnDVSBy_S4_A@mail.gmail.com> <D6B018C6-C3CF-41FB-9EF5-EAECA63ECB1F@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--0000000000000a701d05f5ee6621 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Mon, 27 Feb 2023 at 13:57, Alexander Chernikov <melifaro@freebsd.org> wrote: > > > > On 26 Feb 2023, at 12:07, Victor Gamov <vitspec@gmail.com> wrote: > > > > Hi All > > > > I have following scheme: > > - LAN segment 10.5.8.0/24 with router1 (10.5.8.1) and MTU=3D1500 > > - two hosts at LAN segment host21 (10.5.8.21) and host22 (10.5.8.22) > > - host21 and host22 has VIP=3D172.16.110.30 configured as LAN-interface > alias > > - host21 and host22 ha BGP peering with router1 and announce VIP to > router1 > > - hostX somewhere at intranet > > - ipsec-tunnel with MTU=3D1400 > > > > ECMP works fine and traffic from other segments to VIP is balanced > between host21+host22 by router1. > > > > The problem is: > > when host21 and/or host22 send large packet with DF-bit using VIP as > source then ipsec-router sends ICMP "Fragmentation needed" and then this > ICMP is _always_ sent to only host22 by router1. > > > > I think it may be hard or impossible to find proper VIP-owner to send > this ICMP. Is it possible to propagate such ICMP to all VIP-owners in > router1 routing-table? Or may some data from ICMP message be used to > properly calculate ECMP-hash to find a real VIP-owner which must receive > this ICMP? > Generally it=E2=80=99s pretty hard to do. The path may go through the mul= tiple > routers which has it own hash calculation + seed to avoid the traffic > polarisation. Personally I=E2=80=99d suggest doing some sort of ICMP repl= ication on > either the source node or the hosts. > Hi Alexander! Thanks for your reply. In my scheme router1 can replicate such ICMP to all VIP-owners. And only router1 knows about both host21+host22 peers -- for all other network devices this VIP is behind router1. --=20 CU, Victor Gamov --0000000000000a701d05f5ee6621 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable <div dir=3D"ltr"><div dir=3D"ltr"><br></div><br><div class=3D"gmail_quote">= <div dir=3D"ltr" class=3D"gmail_attr">On Mon, 27 Feb 2023 at 13:57, Alexand= er Chernikov <<a href=3D"mailto:melifaro@freebsd.org" target=3D"_blank">= melifaro@freebsd.org</a>> wrote:<br></div><blockquote class=3D"gmail_quo= te" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204= );padding-left:1ex"><br> <br> > On 26 Feb 2023, at 12:07, Victor Gamov <<a href=3D"mailto:vitspec@g= mail.com" target=3D"_blank">vitspec@gmail.com</a>> wrote:<br> > <br> > Hi All<br> > <br> > I have following scheme:<br> > - LAN segment <a href=3D"http://10.5.8.0/24" rel=3D"noreferrer" target= =3D"_blank">10.5.8.0/24</a> with router1 (10.5.8.1) and MTU=3D1500<br> > - two hosts at LAN segment host21 (10.5.8.21) and host22 (10.5.8.22)<b= r> > - host21 and host22 has VIP=3D172.16.110.30 configured as LAN-interfac= e alias<br> > - host21 and host22 ha BGP peering with router1 and announce VIP to ro= uter1<br> > - hostX somewhere at intranet<br> > - ipsec-tunnel with MTU=3D1400<br> > <br> > ECMP works fine and traffic from other segments to VIP is balanced bet= ween host21+host22 by router1.<br> > <br> > The problem is:<br> > when host21 and/or host22 send large packet with DF-bit using VIP as s= ource then ipsec-router sends ICMP "Fragmentation needed" and the= n this ICMP is _always_ sent to only host22 by router1.<br> > <br> > I think it may be hard or impossible to find proper VIP-owner to send = this ICMP.=C2=A0 Is it possible to propagate such ICMP to all VIP-owners in= router1 routing-table? Or may some data from ICMP message be used to prope= rly calculate ECMP-hash to find a real VIP-owner which must receive this IC= MP?<br> Generally it=E2=80=99s pretty hard to do. The path may go through the multi= ple routers which has it own hash calculation + seed to avoid the traffic p= olarisation. Personally I=E2=80=99d suggest doing some sort of ICMP replica= tion on either the source node or the hosts.<br clear=3D"all"></blockquote>= <div><br></div><div>Hi Alexander!</div><div><br></div><div>Thanks for your = reply. <br></div><div><br></div><div>In my scheme router1 can replicate suc= h ICMP to all VIP-owners.=C2=A0 And only router1 knows about both host21+ho= st22 peers -- for all other network devices this VIP is behind router1.</di= v></div><br>-- <br><div dir=3D"ltr">CU,<br>Victor Gamov</div></div> --0000000000000a701d05f5ee6621--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAPOOyvkRswW3bm5AQ%2B8O-ksunnsKJJJS8qgQT7pYM1JUspxr%2BQ>