xfrm: fix tunnel model fragmentation behavior

Message ID	20220221051648.22660-1-lina.wang@mediatek.com (mailing list archive)
State	Superseded
Delegated to:	Netdev Maintainers
Headers	show Return-Path: <netdev-owner@kernel.org> From: Lina Wang <lina.wang@mediatek.com> To: Steffen Klassert <steffen.klassert@secunet.com>, Herbert Xu <herbert@gondor.apana.org.au>, "David S . Miller" <davem@davemloft.net>, Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>, David Ahern <dsahern@kernel.org>, Jakub Kicinski <kuba@kernel.org>, Matthias Brugger <matthias.bgg@gmail.com> CC: <netdev@vger.kernel.org>, <linux-kernel@vger.kernel.org>, <linux-arm-kernel@lists.infradead.org>, Lina Wang <lina.wang@mediatek.com> Subject: [PATCH] xfrm: fix tunnel model fragmentation behavior Date: Mon, 21 Feb 2022 13:16:48 +0800 Message-ID: <20220221051648.22660-1-lina.wang@mediatek.com> MIME-Version: 1.0 Content-Type: text/plain Precedence: bulk
Series	xfrm: fix tunnel model fragmentation behavior \| expand xfrm: fix tunnel model fragmentation behavior

Context	Check	Description
netdev/fixes_present	success	Fixes tag not required for -next series
netdev/subject_prefix	warning	Target tree name not specified in the subject
netdev/cover_letter	success	Single patches do not need cover letters
netdev/patch_count	success	Link
netdev/header_inline	success	No static functions without inline keyword in header files
netdev/build_32bit	success	Errors and warnings before: 0 this patch: 0
netdev/cc_maintainers	warning	1 maintainers not CCed: linux-mediatek@lists.infradead.org
netdev/build_clang	success	Errors and warnings before: 0 this patch: 0
netdev/module_param	success	Was 0 now: 0
netdev/verify_signedoff	success	Signed-off-by tag matches author and committer
netdev/verify_fixes	success	No Fixes tag
netdev/build_allmodconfig_warn	success	Errors and warnings before: 0 this patch: 0
netdev/checkpatch	success	total: 0 errors, 0 warnings, 0 checks, 39 lines checked
netdev/kdoc	success	Errors and warnings before: 0 this patch: 0
netdev/source_inline	success	Was 0 now: 0
netdev/tree_selection	success	Guessing tree name failed - patch did not apply

Lina Wang Feb. 21, 2022, 5:16 a.m. UTC

in tunnel mode, if outer interface(ipv4) is less, it is easily to let 
inner IPV6 mtu be less than 1280. If so, a Packet Too Big ICMPV6 message 
is received. When send again, packets are fragmentized with 1280, they
are still rejected with ICMPV6(Packet Too Big) by xfrmi_xmit2().

According to RFC4213 Section3.2.2:
         if (IPv4 path MTU - 20) is less than 1280
                 if packet is larger than 1280 bytes
                         Send ICMPv6 "packet too big" with MTU = 1280.
                         Drop packet.
                 else
                         Encapsulate but do not set the Don't Fragment
                         flag in the IPv4 header.  The resulting IPv4
                         packet might be fragmented by the IPv4 layer
                         on the encapsulator or by some router along
                         the IPv4 path.
                 endif
         else
                 if packet is larger than (IPv4 path MTU - 20)
                         Send ICMPv6 "packet too big" with
                         MTU = (IPv4 path MTU - 20).
                         Drop packet.
                 else
                         Encapsulate and set the Don't Fragment flag
                         in the IPv4 header.
                 endif
         endif
Packets should be fragmentized with ipv4 outer interface, so change it.

After it is fragemtized with ipv4, there will be double fragmenation.
No.48 & No.51 are ipv6 fragment packets, No.48 is double fragmentized, 
then tunneled with IPv4(No.49& No.50), which obey spec. And received peer
cannot decrypt it rightly.

48              2002::10	2002::11 1296(length) IPv6 fragment (off=0 more=y ident=0xa20da5bc nxt=50) 
49   0x0000 (0) 2002::10	2002::11 1304	      IPv6 fragment (off=0 more=y ident=0x7448042c nxt=44)
50   0x0000 (0)	2002::10	2002::11 200	      ESP (SPI=0x00035000) 
51		2002::10	2002::11 180	      Echo (ping) request 
52   0x56dc     2002::10	2002::11 248	      IPv6 fragment (off=1232 more=n ident=0xa20da5bc nxt=50)

esp_noneed_fragment has fixed above issues. Finally, it acted like below:
1   0x6206 192.168.1.138   192.168.1.1 1316 Fragmented IP protocol (proto=Encap Security Payload 50, off=0, ID=6206) [Reassembled in #2]
2   0x6206 2002::10	   2002::11    88   IPv6 fragment (off=0 more=y ident=0x1f440778 nxt=50)
3   0x0000 2002::10	   2002::11    248  ICMPv6    Echo (ping) request 

Signed-off-by: Lina Wang <lina.wang@mediatek.com>
---
 net/ipv6/xfrm6_output.c   | 16 ++++++++++++++++
 net/xfrm/xfrm_interface.c |  5 ++++-
 2 files changed, 20 insertions(+), 1 deletion(-)

Steffen Klassert Feb. 21, 2022, 11:04 a.m. UTC | #1

On Mon, Feb 21, 2022 at 01:16:48PM +0800, Lina Wang wrote:
> in tunnel mode, if outer interface(ipv4) is less, it is easily to let 
> inner IPV6 mtu be less than 1280. If so, a Packet Too Big ICMPV6 message 
> is received. When send again, packets are fragmentized with 1280, they
> are still rejected with ICMPV6(Packet Too Big) by xfrmi_xmit2().
> 
> According to RFC4213 Section3.2.2:
>          if (IPv4 path MTU - 20) is less than 1280
>                  if packet is larger than 1280 bytes
>                          Send ICMPv6 "packet too big" with MTU = 1280.
>                          Drop packet.
>                  else
>                          Encapsulate but do not set the Don't Fragment
>                          flag in the IPv4 header.  The resulting IPv4
>                          packet might be fragmented by the IPv4 layer
>                          on the encapsulator or by some router along
>                          the IPv4 path.
>                  endif
>          else
>                  if packet is larger than (IPv4 path MTU - 20)
>                          Send ICMPv6 "packet too big" with
>                          MTU = (IPv4 path MTU - 20).
>                          Drop packet.
>                  else
>                          Encapsulate and set the Don't Fragment flag
>                          in the IPv4 header.
>                  endif
>          endif
> Packets should be fragmentized with ipv4 outer interface, so change it.
> 
> After it is fragemtized with ipv4, there will be double fragmenation.
> No.48 & No.51 are ipv6 fragment packets, No.48 is double fragmentized, 
> then tunneled with IPv4(No.49& No.50), which obey spec. And received peer
> cannot decrypt it rightly.
> 
> 48              2002::10	2002::11 1296(length) IPv6 fragment (off=0 more=y ident=0xa20da5bc nxt=50) 
> 49   0x0000 (0) 2002::10	2002::11 1304	      IPv6 fragment (off=0 more=y ident=0x7448042c nxt=44)
> 50   0x0000 (0)	2002::10	2002::11 200	      ESP (SPI=0x00035000) 
> 51		2002::10	2002::11 180	      Echo (ping) request 
> 52   0x56dc     2002::10	2002::11 248	      IPv6 fragment (off=1232 more=n ident=0xa20da5bc nxt=50)
> 
> esp_noneed_fragment has fixed above issues. Finally, it acted like below:
> 1   0x6206 192.168.1.138   192.168.1.1 1316 Fragmented IP protocol (proto=Encap Security Payload 50, off=0, ID=6206) [Reassembled in #2]
> 2   0x6206 2002::10	   2002::11    88   IPv6 fragment (off=0 more=y ident=0x1f440778 nxt=50)
> 3   0x0000 2002::10	   2002::11    248  ICMPv6    Echo (ping) request 
> 
> Signed-off-by: Lina Wang <lina.wang@mediatek.com>

We have two commits in the ipsec tree that address a very similar
issue. That is:

commit 6596a0229541270fb8d38d989f91b78838e5e9da
xfrm: fix MTU regression

and

commit a6d95c5a628a09be129f25d5663a7e9db8261f51
Revert "xfrm: xfrm_state_mtu should return at least 1280 for ipv6"

Can you please doublecheck that the issue you are fixing still
exist in the ipsec tree?

Thanks!

Lina Wang Feb. 22, 2022, 2:18 a.m. UTC | #2

On Mon, 2022-02-21 at 12:04 +0100, Steffen Klassert wrote:
> On Mon, Feb 21, 2022 at 01:16:48PM +0800, Lina Wang wrote:
> > in tunnel mode, if outer interface(ipv4) is less, it is easily to
We have two commits in the ipsec tree that address a very similar
> issue. That is:
> 
> commit 6596a0229541270fb8d38d989f91b78838e5e9da
> xfrm: fix MTU regression
> 
> and
> 
> commit a6d95c5a628a09be129f25d5663a7e9db8261f51
> Revert "xfrm: xfrm_state_mtu should return at least 1280 for ipv6"
> 
> Can you please doublecheck that the issue you are fixing still
> exist in the ipsec tree?

Yes, I know the two patches, which didnot help for my scenary. Whatever 
commit a6d95c5a62 exist or not, there still is double fragment issue. From
commit 6596a022's mail thread, owner has met double fragment issue, I am 
not sure if it is the same with mine.

My scenary is very simple, set up ipsec0, create default route, set 
transport mode for ipsec0 and tunnel mode for wlan0.

ip link add ipsec0 type xfrm dev xfrm dev wlan0 if_id xx
ip link set mtu 1400 dev ipsec0
ip link set mtu 1300 dev wlan0

ping6 -s 1300 xx will always reproduce such issue.

Thanks!

Steffen Klassert Feb. 23, 2022, 8:25 a.m. UTC | #3

On Tue, Feb 22, 2022 at 10:18:04AM +0800, Lina Wang wrote:
> On Mon, 2022-02-21 at 12:04 +0100, Steffen Klassert wrote:
> > On Mon, Feb 21, 2022 at 01:16:48PM +0800, Lina Wang wrote:
> > > in tunnel mode, if outer interface(ipv4) is less, it is easily to
> We have two commits in the ipsec tree that address a very similar
> > issue. That is:
> > 
> > commit 6596a0229541270fb8d38d989f91b78838e5e9da
> > xfrm: fix MTU regression
> > 
> > and
> > 
> > commit a6d95c5a628a09be129f25d5663a7e9db8261f51
> > Revert "xfrm: xfrm_state_mtu should return at least 1280 for ipv6"
> > 
> > Can you please doublecheck that the issue you are fixing still
> > exist in the ipsec tree?
> 
> Yes, I know the two patches, which didnot help for my scenary. Whatever 
> commit a6d95c5a62 exist or not, there still is double fragment issue. From
> commit 6596a022's mail thread, owner has met double fragment issue, I am 
> not sure if it is the same with mine.

Thanks for the doublecking this!

Steffen Klassert Feb. 23, 2022, 8:31 a.m. UTC | #4

On Mon, Feb 21, 2022 at 01:16:48PM +0800, Lina Wang wrote:
> in tunnel mode, if outer interface(ipv4) is less, it is easily to let 
> inner IPV6 mtu be less than 1280. If so, a Packet Too Big ICMPV6 message 
> is received. When send again, packets are fragmentized with 1280, they
> are still rejected with ICMPV6(Packet Too Big) by xfrmi_xmit2().
> 
> According to RFC4213 Section3.2.2:
>          if (IPv4 path MTU - 20) is less than 1280
>                  if packet is larger than 1280 bytes
>                          Send ICMPv6 "packet too big" with MTU = 1280.
>                          Drop packet.
>                  else
>                          Encapsulate but do not set the Don't Fragment
>                          flag in the IPv4 header.  The resulting IPv4
>                          packet might be fragmented by the IPv4 layer
>                          on the encapsulator or by some router along
>                          the IPv4 path.
>                  endif
>          else
>                  if packet is larger than (IPv4 path MTU - 20)
>                          Send ICMPv6 "packet too big" with
>                          MTU = (IPv4 path MTU - 20).
>                          Drop packet.
>                  else
>                          Encapsulate and set the Don't Fragment flag
>                          in the IPv4 header.
>                  endif
>          endif
> Packets should be fragmentized with ipv4 outer interface, so change it.
> 
> After it is fragemtized with ipv4, there will be double fragmenation.
> No.48 & No.51 are ipv6 fragment packets, No.48 is double fragmentized, 
> then tunneled with IPv4(No.49& No.50), which obey spec. And received peer
> cannot decrypt it rightly.
> 
> 48              2002::10	2002::11 1296(length) IPv6 fragment (off=0 more=y ident=0xa20da5bc nxt=50) 
> 49   0x0000 (0) 2002::10	2002::11 1304	      IPv6 fragment (off=0 more=y ident=0x7448042c nxt=44)
> 50   0x0000 (0)	2002::10	2002::11 200	      ESP (SPI=0x00035000) 
> 51		2002::10	2002::11 180	      Echo (ping) request 
> 52   0x56dc     2002::10	2002::11 248	      IPv6 fragment (off=1232 more=n ident=0xa20da5bc nxt=50)
> 
> esp_noneed_fragment has fixed above issues. Finally, it acted like below:
> 1   0x6206 192.168.1.138   192.168.1.1 1316 Fragmented IP protocol (proto=Encap Security Payload 50, off=0, ID=6206) [Reassembled in #2]
> 2   0x6206 2002::10	   2002::11    88   IPv6 fragment (off=0 more=y ident=0x1f440778 nxt=50)
> 3   0x0000 2002::10	   2002::11    248  ICMPv6    Echo (ping) request 
> 
> Signed-off-by: Lina Wang <lina.wang@mediatek.com>

Can you please add a 'Fixes' tag?

> ---
>  net/ipv6/xfrm6_output.c   | 16 ++++++++++++++++
>  net/xfrm/xfrm_interface.c |  5 ++++-
>  2 files changed, 20 insertions(+), 1 deletion(-)
> 
> diff --git a/net/ipv6/xfrm6_output.c b/net/ipv6/xfrm6_output.c
> index d0d280077721..ab4384e22b4f 100644
> --- a/net/ipv6/xfrm6_output.c
> +++ b/net/ipv6/xfrm6_output.c
> @@ -45,6 +45,19 @@ static int __xfrm6_output_finish(struct net *net, struct sock *sk, struct sk_buf
>  	return xfrm_output(sk, skb);
>  }
>  
> +static int esp_noneed_fragment(struct sk_buff *skb)
> +{
> +	struct frag_hdr *fh;
> +	u8 prevhdr = ipv6_hdr(skb)->nexthdr;
> +
> +	if (prevhdr != NEXTHDR_FRAGMENT)
> +		return 0;
> +	fh = (struct frag_hdr *)(skb->data + sizeof(struct ipv6hdr));
> +	if (fh->nexthdr == NEXTHDR_ESP)
> +		return 1;

Shouldn't this problem exist for NEXTHDR_AUTH too?

Lina Wang Feb. 24, 2022, 6:15 a.m. UTC | #5

On Wed, 2022-02-23 at 09:31 +0100, Steffen Klassert wrote:
> On Mon, Feb 21, 2022 at 01:16:48PM +0800, Lina Wang wrote:
>Can you please add a 'Fixes' tag?
>
Sure

+	fh = (struct frag_hdr *)(skb->data + sizeof(struct ipv6hdr));
> > +	if (fh->nexthdr == NEXTHDR_ESP)
> > +		return 1;
> 
> Shouldn't this problem exist for NEXTHDR_AUTH too?

Thanks for reminding! V2 has modified and submitted!

Thanks!

xfrm: fix tunnel model fragmentation behavior

Checks

Commit Message

Comments

Patch