Re: IPv6 Fragmentation

Sat, 20 Feb 2021 04:13:51 -0800 

On 20 Feb 2021, at 5:32, Doug Hardie wrote:
On 19 February 2021, at 01:48, Michael Tuexen <michael.tue...@lurchi.franken.de> wrote: 


On 19. Feb 2021, at 03:29, Doug Hardie <bc...@lafn.org> wrote:


I don't know if this is a feature or a bug.  On FreeBSD 9, the 
following ping worked:


ping6 -s 5000 -b 6000 fe80::213:72ff:fec3:180f%dc0

I don't have a dc0 interface, but using re0 at one side and bge at 
the other, I get

with FreeBSD CURRENT:
tuexen@cirrus:~ % ping6 -s 5000 -b 6000 fe80::2e09:4dff:fe00:c00%re0

PING6(5048=40+8+5000 bytes) fe80::aaa1:59ff:fe0c:da92%re0 --> 
fe80::2e09:4dff:fe00:c00%re0
5008 bytes from fe80::2e09:4dff:fe00:c00%re0, icmp_seq=0 hlim=255 
time=0.393 ms
5008 bytes from fe80::2e09:4dff:fe00:c00%re0, icmp_seq=1 hlim=255 
time=0.419 ms
5008 bytes from fe80::2e09:4dff:fe00:c00%re0, icmp_seq=2 hlim=255 
time=0.354 ms
5008 bytes from fe80::2e09:4dff:fe00:c00%re0, icmp_seq=3 hlim=255 
time=0.446 ms
5008 bytes from fe80::2e09:4dff:fe00:c00%re0, icmp_seq=4 hlim=255 
time=0.421 ms
5008 bytes from fe80::2e09:4dff:fe00:c00%re0, icmp_seq=5 hlim=255 
time=0.372 ms

^C
--- fe80::2e09:4dff:fe00:c00%re0 ping6 statistics ---
6 packets transmitted, 6 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.354/0.401/0.446/0.031 ms

Best regards
Michael



It had to be stopped, but it returned the number of ping responses 
received along with statistics.



With FreeBSD 12.2 and 13.0-BETA2, it returns 100% packet loss.  
tcpdump shows that it properly fragments the data, sends it, the 
other end receives it and sends back the ACKs.  The ACKs are 
received, but somehow ping doesn't find out that the packets were 
received.



Without the -s and -b arguments, it works and you get 100% packets 
received.



I found the problem.  pf does not handle IPv6 packets that are 
fragmented the obvious way.  I suspect it is because icmp header is 
only in the first fragment.  I had to reassemble fragments in pf in 
order to make the large pings work.



If you don’t have `scrub fragment reassemble` set then you have to 
include something like `pass log inet6 proto ipv6-frag all` to pass 
fragmented packets (assuming you block by default).



You really, really want `scrub fragment reassemble` because otherwise 
your firewall can be trivially bypassed, but you need one of the two for 
fragmented packets to work.


Best regards,
Kristof
_______________________________________________
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"






















					Reply via email to