VPN and icmp

Donkin, Richard rdonkin at ORCHESTREAM.COM
Wed Aug 23 11:12:17 EDT 2000


> -----Original Message-----
> From: Dana J. Dawson [mailto:dana at INTERPRISE.COM]
> Sent: Mon 21 August 2000 23:27
> To: VPN at SECURITYFOCUS.COM
> Subject: Re: VPN and icmp
>
>
> Neil Ratzlaff wrote:
>
> > We recently tried to set up a Cisco VPN with some NT
> servers at our end,
> > the other end had Windows something.  Parts of it worked
> and parts didn't,
> > and we eventually found the cause to be the close Cisco
> router sending icmp
> > type 3 code 4 packets back to the NT machines.  The packets
> from NT had the
> > 'Don't Fragment' bit set, and Cisco couldn't encrypt them
> and still fit
> > them under the packet size limit.  I suggested the NT
> owners stop setting
> > the Don't Fragment bit, and they said there was no way to
> do that.  They
> > also cited RFC 1853:
> >
> > 3.1.  Tunnel MTU Discovery
> >     When the Don't Fragment bit is set by the originator
> and copied into
> >     the outer IP header, the proper MTU of the tunnel will
> be learned
> >     from ICMP (Type 3 Code 4) "Datagram Too Big" errors
> reported to the
> >     encapsulator.  To support originating hosts which use this
> >     capability, all implementations MUST support Path MTU Discovery
> >     [RFC-1191, RFC-1435] within their tunnels.
> >
> > So....  questions:
> > 1.  Can NT stop setting the Don't Fragment bit, and if so, how?
> > 2.  What is the best way to deal with this situation?
> >
> > Thanks,
> > Neil
> >
> > VPN is sponsored by SecurityFocus.COM
>
> If the NT box is setting the DF bit (presumably with the
> intent of doing MTU
> Path Discovery), and the local Cisco box is replying with
> Datagram Too Big
> errors, then it's the NT box's responsibility to fall back to
> a smaller MTU
> until the packets get through. If this isn't happening, it's
> an NT problem, not
> a Cisco problem.  I don't understand where the Cisco bug is,
> unless there's a
> part of the picture I haven't picked up on.
>
> Dana

This is true if the Cisco tunnel start point router is generating the ICMP
message (but I think NT would respond to that). It may be that a mid-tunnel
router has a smaller MTU than that of the IPSec tunnel start point; when
this mid-tunnel router generates the Datagram Too Big ICMP packet, it goes
to the tunnel start point, not to the host.  So the host never sees that its
MTU is too big, and in fact the tunnel start point may not be able to find
out the actual source of the offending packet, since the ICMP packet doesn't
include enough header information.

Options are to either turn off Path MTU discovery (search the MS Knowledge
Base for articles on this, it's definitely possible) or to explicitly set
the MTU lower on the host's NIC.

Richard
--
rdonkin at orchestream.com                   http://www.orchestream.com
Tel: +44 (0)20 7348 1507 (direct)         Orchestream Ltd.
     +44 (0)20 7348 1500 (switchboard)    Avon House, Kensington Village,
Fax: +44 (0)20 7348 1501                  Avonmore Road
>>>> IP Service Activation >>>>           London W14 8TS, UK

VPN is sponsored by SecurityFocus.COM




More information about the VPN mailing list