• Sabrina Dubroca's avatar
    xfrm: xfrm_state_mtu should return at least 1280 for ipv6 · b515d263
    Sabrina Dubroca authored
    Jianwen reported that IPv6 Interoperability tests are failing in an
    IPsec case where one of the links between the IPsec peers has an MTU
    of 1280. The peer generates a packet larger than this MTU, the router
    replies with a "Packet too big" message indicating an MTU of 1280.
    When the peer tries to send another large packet, xfrm_state_mtu
    returns 1280 - ipsec_overhead, which causes ip6_setup_cork to fail
    with EINVAL.
    
    We can fix this by forcing xfrm_state_mtu to return IPV6_MIN_MTU when
    IPv6 is used. After going through IPsec, the packet will then be
    fragmented to obey the actual network's PMTU, just before leaving the
    host.
    
    Currently, TFC padding is capped to PMTU - overhead to avoid
    fragementation: after padding and encapsulation, we still fit within
    the PMTU. That behavior is preserved in this patch.
    
    Fixes: 91657eaf ("xfrm: take net hdr len into account for esp payload size calculation")
    Reported-by: default avatarJianwen Ji <jiji@redhat.com>
    Signed-off-by: default avatarSabrina Dubroca <sd@queasysnail.net>
    Signed-off-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
    b515d263
xfrm_state.c 66.7 KB