Re: DTLS: incorrect understanding of MTU

Tue, 12 May 2009 15:48:56 -0700 

Hi Daniel,

yes, you are right. The command line arg is passed to
SSL_set_mtu() which just sets d1->mtu.
The rest of the code assumes that d1->mtu does
only covers the UDP payload. So we need to fix
the handling of SSL_CTRL_SET_MTU to reduce the
value by 20+8.

Regarding path MTU discovery there seems to be a similar
problem, since we have
        case BIO_CTRL_DGRAM_QUERY_MTU:
         sockopt_len = sizeof(sockopt_val);
if ((ret = getsockopt(b->num, IPPROTO_IP, IP_MTU, (void *)&sockopt_val, 
                        &sockopt_len)) < 0 || sockopt_val < 0)
                        { ret = 0; }
                else
                        {
                        data->mtu = sockopt_val;
                        ret = data->mtu;
                        }
                break;
So I guess this also needs a reduction.

Robin, can you provide a patch?
Daniel, can you test the patch when it is available? The path MTU
discovery might be platform specific...

Best regards
Michael

On May 12, 2009, at 8:24 PM, Daniel Mentz wrote:
I've got the impression that the DTLS part of OpenSSL is based on an incorrect understanding of the term MTU (Maximum Transmission Unit).
My understanding is that the MTU refers to the size of the IP packet including the IP header (usually 20 bytes) and the UDP header (usually 8 bytes) in case UDP is used. This means that I can transfer 1472 bytes of payload if the MTU is 1500 bytes. 

Now, if I start openssl s_server with the following command line

./openssl s_server -dtls1 -no_ecdhe -timeout -cert large.pem -mtu 1400
and monitor packets with wireshark I can see IP packets with a total length of 1428 bytes. From looking at this I infere that OpenSSL interprets the MTU as the maximum payload size of an UDP packet.
If I get rid of the -mtu parameter, rely on Path MTU discovery and set the MTU of the outgoing interface to 1400 I don't get any communication going. But I do see an avalanche of "Destination unreachable (Fragmentation needed)" ICMP messages. I guess that this is due to the incorrect understanding of the MTU. OpenSSL appears to try sending larger packets than allowed by the PMTU. 

Can anyone confirm this problem?

Thanks
-Daniel

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [email protected]
Automated List Manager                           [email protected]



______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [email protected]
Automated List Manager                           [email protected]

Reply via email to