Date: Sun, 26 Feb 2023 15:07:22 +0300 From: Victor Gamov <vitspec@gmail.com> To: freebsd-net@freebsd.org Subject: ECMP, DF-bit and ICMP "Fragmentation needed" Message-ID: <CAPOOyvkdnfotpEHwWYfRBUfmLmF9-eBLHWU-LOJnDVSBy_S4_A@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
--0000000000001c165f05f5993516 Content-Type: text/plain; charset="UTF-8" Hi All I have following scheme: - LAN segment 10.5.8.0/24 with router1 (10.5.8.1) and MTU=1500 - two hosts at LAN segment host21 (10.5.8.21) and host22 (10.5.8.22) - host21 and host22 has VIP=172.16.110.30 configured as LAN-interface alias - host21 and host22 ha BGP peering with router1 and announce VIP to router1 - hostX somewhere at intranet - ipsec-tunnel with MTU=1400 ECMP works fine and traffic from other segments to VIP is balanced between host21+host22 by router1. The problem is: when host21 and/or host22 send large packet with DF-bit using VIP as source then ipsec-router sends ICMP "Fragmentation needed" and then this ICMP is _always_ sent to only host22 by router1. I think it may be hard or impossible to find proper VIP-owner to send this ICMP. Is it possible to propagate such ICMP to all VIP-owners in router1 routing-table? Or may some data from ICMP message be used to properly calculate ECMP-hash to find a real VIP-owner which must receive this ICMP? Thanks! -- CU, Victor Gamov --0000000000001c165f05f5993516 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable <div dir=3D"ltr"><div>Hi All</div><div><br></div><div>I have following sche= me:</div><div>- LAN segment <a href=3D"http://10.5.8.0/24" target=3D"_blank= ">10.5.8.0/24</a> with router1 (10.5.8.1) and MTU=3D1500<br></div><div>- tw= o hosts at LAN segment host21 (10.5.8.21) and host22 (10.5.8.22)</div><div>= - host21 and host22 has VIP=3D172.16.110.30 configured as LAN-interface ali= as<br></div><div>- host21 and host22 ha BGP peering with router1 and announ= ce VIP to router1</div><div>- hostX somewhere at intranet<br></div><div>- i= psec-tunnel with MTU=3D1400<br></div><div><br></div><div>ECMP works fine an= d traffic from other segments to VIP is balanced between host21+host22 by r= outer1.<br></div><div><br></div><div>The problem is:<br></div><div>when host21 and/or host22 send large packet with DF-bit using VIP as source=20 then ipsec-router sends ICMP "Fragmentation needed" and then this= ICMP=20 is _always_ sent to only host22 by router1.</div><div><br></div><div>I=20 think it may be hard or impossible to find proper VIP-owner to send this ICMP.=C2=A0 Is it possible to propagate such ICMP to all VIP-owners in=20 router1 routing-table? Or may some data from ICMP message be used to=20 properly calculate ECMP-hash to find a real VIP-owner which must receive this ICMP?</div><div><br></div><div><br></div><div>Thanks!<font color=3D"#= 888888"><br></font></div><br clear=3D"all"><br>-- <br><div dir=3D"ltr" clas= s=3D"gmail_signature" data-smartmail=3D"gmail_signature">CU,<br>Victor Gamo= v</div></div> --0000000000001c165f05f5993516--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAPOOyvkdnfotpEHwWYfRBUfmLmF9-eBLHWU-LOJnDVSBy_S4_A>