That's a good question. I would suggest reading the standards, and
checking what other systems do. My quick reaction is that MTU on a
route is a local matter used to choose MTU on outgoing packets that are
originated, and I don't see why it would affect forwarding. But I can
also see that a philosophy that it's better to send ICMP fragmentation
required as soon as possible.

Regardless, it seems clear that a packet rejected because of a route MTU
should provoke an ICMP fragmentation required with a value no great
than the route MTU. But the first question is about route MTUs in the
first place.

RFC 1191 says, "When a router is unable to forward a datagram because
it exceeds the MTU of the next-hop network and its Don't Fragment bit
is set, the router is required to return an ICMP Destination
Unreachable message to the source of the datagram, with the Code
indicating "fragmentation needed and DF set". To support the Path MTU
Discovery technique specified in this memo, the router MUST include
the MTU of that next-hop network in the low-order 16 bits of the ICMP
header field that is labelled "unused" in the ICMP specification [7]."

It seems reasonable to me to interpret the route's MTU as specifying
"MTU of the next-hop network".

I checked a Debian Linux system (running kernel 2.6.32-5-686), and it
returns the route MTU. E.g., repeating the same type of test as I did
earlier: ip route add 149.20.53.86 dev eth0 mtu 1200

Then from another machine, pinged 149.20.53.86 with a 1300-byte packet
and DF set. The MTU returned in the ICMP fragmentation needed packet
was 1200.

NetBSD's current behavior would seem to break PMTU discovery... it
won't forward DF packets larger than the route MTU, but then it tells
the sender that larger packets are OK.

You can interpret it that way if you want, but that isn't what the text
really says. The "MTU of the next-hop network" it is referring to is
the MTU of the network the outgoing interface is attached to; it is a
synonym for the next hop interface MTU. This also means, of course, that
the text above doesn't really apply to your situation since "exceeds the MTU
of the next-hop network" is not the reason the datagram is being discarded
in your case.

I don't think you'll find much help with route MTUs in the standard documents
since I'm pretty sure standard IP doesn't think that routes have associated
MTUs. This is a non-standard feature someone made up, so someone also gets
to make up what it does and how it does that.
NetBSD's current behavior is indeed broken. If the router is going to
drop the packet because of its size then the ICMP unreachable error it
returns to inform the sender of this must include a packet size that
the router would not drop.

I think Greg's point is a bit different. Since the bit of the standard
you quote says the reason for returning that error is that "a router was
unable to forward a datagram because it exceeds the MTU of the next-hop
network", then because the packet being forwarded in your case did not
"exceed the MTU of the next-hop network" one could argue that the router
shouldn't be discarding the packet in the first place. That is, the ICMP
message is correct but the packet discard which prompted its sending
was incorrect. Since there is no standard for what route MTUs do the
question of what they should do is going to depend on what function they
serve and what is best for that function.

I, like Greg, had the early reaction that the router shouldn't be using
the route MTU when forwarding packets (as opposed to processing packets
originated by the local host-in-the-router). The reason is that the only
use I've seen made of the route MTU field is to implement a cache of PMTUs
discovered by applications running on the local host, and it is normally
considered quite inappropriate for a router to enforce the PMTUs learned
by its local applications on packets originated by other hosts. It is
possible, however, that the field is no longer used for PMTU discovery
caching and that the remaining uses actually do require route MTUs to be
applied to forwarded packets for some reason.

In any case it is clear that something is broken. What isn't clear, however,
is whether it is the MTU in the ICMP message or the packet drop which caused
the message to be sent which is the broken bit.

Dennis Ferguson

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de

How does the OS know what the MTU of the next-hop network is? By
adding a static route, I'm declaring what I want the next hop's
outgoing interface to be. It seems reasonable that I should also be
able to use it to declare what the MTU is, if the default MTU assumed
by the system based on the interface type is incorrect for whatever
reason.
It doesn't seem like NetBSD uses it as a PMTU cache--at least I've
never seen "netstat -r" show any routes added due to PMTU discovery.
I was just experimenting with route MTUs when I came across this
problem; I don't have any real need or use for them, so I wouldn't
personally be affected either way. That said, I do think it makes
sense for the route MTU to be a way to administratively set the "MTU
of the next-hop network" for a certain route. Which is what NetBSD
already does-- packets being forwarded through the router that are
larger than the route MTU do get fragmented if DF is not set. This
would also match the Linux behavior, and I think the FreeBSD behavior
too. I haven't actually tried on FreeBSD, but there's a comment in
their ip_input.c:ip_forward() that says, "Try to cache the route MTU
from ip_output so we can consider it for the ICMP_UNREACH_NEEDFRAG
"Next-Hop MTU" field described in RFC1191." followed by
mtu = ro.ro_rt->rt_rmx.rmx_mtu;

Later, when the ICMP needs frag is sent, the MTU sent back is the
minimum of the interface MTU and the route MTU.

Yes.

Otherwise PMTU Discovery does not work.

We can argue about RFC semantics forever and a day but if the

behaviour stays the same then PMTU discovery involving NetBSD

will remain broken in situations like this.

Darren


--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de

That I agree with... Is there a way to view the PMTU route cache? In
Linux, it's "ip route show cache", and Windows has "netsh interface
ipv4 show destinationcache", but I didn't spot anything relevant in
"apropos mtu" on NetBSD. If I knew what was in the PMTU cache, I could
do a test to see whether the cached MTU affected forwarded packets.

In any case, I think there's agreement that there's a bug, if not
exactly what the bug is. I'll file a PR about it :)

Yes. I agree with Darren on this; see PR 44508, and my thread bringing
it up (right here on tech-net) on 2012-06-14. Since neither of those
apparently did much, it's unlikely this thread will do much either.
But I didn't give patches before; this time I have them, at least for
the versions I run (4.0.1 and 5.2).

4.0.1's is

commit 4e8da79fceebe279dbf150348fb79dd20d10f9e2
Author: Mouse <***@Rodents-Montreal.ORG>
Date: Fri Apr 1 21:44:21 2011 -0400

Get "need to frag but DF set" MTU values righter.

This affects the case where the route's MTU is lower than the
interface's; it would formerly use the interface's MTU, which causes
PMTU-D to loop, since the generated ICMPs contain a nonworking MTU.

diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c
index d088151..7724373 100644
--- a/sys/netinet/ip_input.c
+++ b/sys/netinet/ip_input.c
@@ -1843,6 +1843,7 @@ ip_forward(struct mbuf *m, int srcrt)
int error, type = 0, code = 0, destmtu = 0;
struct mbuf *mcopy;
n_long dest;
+ int rmtu;

/*
* We are now in the output path.
@@ -1934,9 +1935,10 @@ ip_forward(struct mbuf *m, int srcrt)
}
}

+ rmtu = 0;
error = ip_output(m, (struct mbuf *)0, &ipforward_rt,
- (IP_FORWARDING | (ip_directedbcast ? IP_ALLOWBROADCAST : 0)),
- (struct ip_moptions *)NULL, (struct socket *)NULL);
+ (IP_FORWARDING | IP_RETURNMTU | (ip_directedbcast ? IP_ALLOWBROADCAST : 0)),
+ (struct ip_moptions *)NULL, (struct socket *)NULL, &rmtu);

if (error)
ipstat.ips_cantforward++;
@@ -1997,7 +1999,7 @@ ip_forward(struct mbuf *m, int srcrt)
&ipsecerror);
#endif

- destmtu = ipforward_rt.ro_rt->rt_ifp->if_mtu;
+ destmtu = rmtu ? : ipforward_rt.ro_rt->rt_ifp->if_mtu;
#if defined(IPSEC) || defined(FAST_IPSEC)
if (sp != NULL) {
/* count IPsec header size */

5.2's is

commit d7138d8a1fa119cbc83621176524e81bfcacb5ba
Author: Mouse <***@Rodents-Montreal.ORG>
Date: Fri Feb 15 18:52:37 2013 -0500

Get "need to frag but DF set" MTU values righter.

diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c
index 8cd094d..f1920cb 100644
--- a/sys/netinet/ip_input.c
+++ b/sys/netinet/ip_input.c
@@ -1847,6 +1847,7 @@ ip_forward(struct mbuf *m, int srcrt)
struct sockaddr dst;
struct sockaddr_in dst4;
} u;
+ int rmtu;

/*
* We are now in the output path.
@@ -1926,8 +1927,8 @@ ip_forward(struct mbuf *m, int srcrt)
}

error = ip_output(m, NULL, &ipforward_rt,
- (IP_FORWARDING | (ip_directedbcast ? IP_ALLOWBROADCAST : 0)),
- (struct ip_moptions *)NULL, (struct socket *)NULL);
+ (IP_FORWARDING | IP_RETURNMTU | (ip_directedbcast ? IP_ALLOWBROADCAST : 0)),
+ (struct ip_moptions *)NULL, (struct socket *)NULL, &rmtu);

if (error)
IP_STATINC(IP_STAT_CANTFORWARD);
@@ -1974,6 +1975,8 @@ ip_forward(struct mbuf *m, int srcrt)
if ((rt = rtcache_validate(&ipforward_rt)) != NULL)
destmtu = rt->rt_ifp->if_mtu;

+ if (rmtu && (rmtu < destmtu)) destmtu = rmtu;
+
#if defined(IPSEC) || defined(FAST_IPSEC)
{
/*

/~\ The ASCII Mouse
\ / Ribbon Campaign
X Against HTML ***@rodents-montreal.org
/ \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de

I disagree; there seems to be no notion in the standards that discovered
MTUs for routes are to be propagated. The entire notion of "route MTU"
is just an implementation detail to store PMTU-D information.

A system of nodes that report discovered MTUs seems more complicated and
perhaps more fragile than one in which each host discovers MTUs itself.
But I can't prove the fragile part.
That's an interesting datapoint about practice, but it strikes me as
non-compliant with standards (see below).
I agree that the combination of declining to forward a packet via a
route and returning an interface MTU greater than the route MTU is
broken.

The real question is:

Why is it ok to decline to forward packets because they are bigger
than the route MTU, when the route MTU is about PMTU-D to be used for
locally-sourced packest?


If it is ok to decline, then we need to return route MTU when declining
to forward because of route MTU. If it's not, we need to fix the
forwarding behavior. I just skimmed RFC4821 and found zero discussion
of interaction with forwarding packets. So I believe that route MTUs
(and really the entire routing table entry resulting from PMTU-D) should
be ignored when forwarding packets. The RFC talks about storing PMTU-D
state using flow ids, essentially pointing out that PMTU-D values may
not necessarily be valid for dissimilar packets with the same
destination address.

That leaves routes with explicit MTUs that aren't from PMTU-D as an odd
case. One can view those as buggy or test cases for PMTU-D on the
theory that the route MTU mechanism was added for PMTU-D.

Is it? That seems like the root of the problem then... the routing
table is used to store routing information, including info on how to
route forwarded packets. PTMU-D info should be stored elsewhere... or
at least it should be marked with some flag tht the kernel can look at
to know whether it's a PMTU cache entry or an actual route. AFAICT,
neither Linux nor Windows uses the routing table for its PMTU cache.
I don't think it's OK, but that's an orthogonal issue. If someone
wants to fix that, I'm all for it. However, I don't think that's a
prerequisite for fixing the issue I'm reporting: if NetBSD is going to
drop a packet because it exceeds the MTU, it needs to properly report
what that MTU is.

Here is a patch to fix it the other way (use interface MTU when forwarding)
for NetBSD-current. It is untested, but it has the advantage, to me at
least, of being a 1-line change.

I suggest we fix it this way for now and count the dancing angels once
we have stopped being stuck with the pins.

Index: ip_output.c
===================================================================
RCS file: /cvsroot/src/sys/netinet/ip_output.c,v
retrieving revision 1.224
diff -c -r1.224 ip_output.c
*** ip_output.c 29 Jun 2013 21:06:58 -0000 1.224
--- ip_output.c 28 Dec 2013 20:26:43 -0000
***************
*** 283,289 ****
}
ia = ifatoia(rt->rt_ifa);
ifp = rt->rt_ifp;
! if ((mtu = rt->rt_rmx.rmx_mtu) == 0)
mtu = ifp->if_mtu;
rt->rt_use++;
if (rt->rt_flags & RTF_GATEWAY)
--- 283,290 ----
}
ia = ifatoia(rt->rt_ifa);
ifp = rt->rt_ifp;
! if ((flags & (IP_FORWARDING|IP_RAWOUTPUT) ||
! ((mtu = rt->rt_rmx.rmx_mtu) == 0))
mtu = ifp->if_mtu;
rt->rt_use++;
if (rt->rt_flags & RTF_GATEWAY)

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de

Hmm, I don't like that because it makes it impossible to impose a lower
MTU limit for some but not all of the forwarding traffic through an
interface. (This is something that should never be necessary. But the
net is not that ideal.)
I'm not sure why one-line versus five-line makes all that much
difference. If this is done, I expect "route MTUs are ignored when
forwarding" bugs to get filed, because I would certainly _expect_
forwarding traffic using a particular route to pay attention to the
route's MTU. Having route MTUs paid attention to only sometimes
strikes me as far worse than having to change a whole four more lines
in the fix.
Why the derision? As amusing as the turn of phrase is, I don't see the
issue as angel-dancing in any sense and certainly not deserving of
being made out to be ridiculous like this.

Still, it's no skin off my nose, since my systems won't be affected
either way; if you really think NetBSD would be better off paying
attention to route MTUs only sometimes, go for it.

/~\ The ASCII Mouse
\ / Ribbon Campaign
X Against HTML ***@rodents-montreal.org
/ \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de

Because it's been two weeks of arguing about _how_ to fix a fairly
serious bug, while nobody's actually checked anything in to fix it
even in the interim even though we all clearly know at least two
different, very simple, ways how. Users shouldn't be left in the
lurch like that while we discuss.
I think that if this discussion illustrates anything, it's that the
notion of a "route MTU" is incoherent -- a back-formed conceptual
rationale for the expedient hack of storing path MTUs in the routing
table, which we're now paying for.

I don't object to storing path MTUs in the routing table, because it
is a central datastructure with properties that make them convenient
to store there and efficient to look up from there (since we already
must do the routing lookup at packet output time). I *do* object
to the bickering over what seems to me to be the consequent neologism
"route MTU" preventing us from quickly applying an obvious fix to
solve these old, very real, problems for users caused by the original
implementation of path MTU.

Thor

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de

That's a fair point, but a central design point of the 4.4BSD networking
code is to use (abuse) the (single) routing table for multiple things,
including ARP. It's a reasonable notion that these PMTU-D entries
should be identifiable.

Hi,
True, on layer 3.

Untrue on higher layers, where a MTU is effectively a function of the
whole path between you and the system you are talking to.

I'd argue that for IPSEC, what is *relevant* is the MTU on the path
to the other side of the end host, not the local interface MTU - so
using route MTU is the most likely source of path MTU information that
has useful information to the sender of the to-be-IPSEC-encapsulated
packet how to avoid fragmentation.

gert

Hi,
Because IPSEC-encapsulated packets *are* locally-sourced, on the outer
header?

gert

I see the next problem using MTU route instead of iface route. I know
that it isn't a usual case.

If a router in the path, after of our server does routing based in the
source address, the iface MTU isn't a acurate value. I think that
iface MTU will work in this case.

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de