From: Luiz Angelo Daros de Luca <luizluca@gmail.com>
To: Hugo Slabbert <hugo.slabbert@menlosecurity.com>
Cc: "Daniel Gröber" <dxld@darkboxed.org>,
"Marek Küthe" <m-k-mailling-list@mk16.de>,
wireguard@lists.zx2c4.com
Subject: Re: IPv6 and PPPoE with MSSFIX
Date: Mon, 28 Aug 2023 19:22:05 -0300 [thread overview]
Message-ID: <CAJq09z588fZZnQ8zy4TDGvGrmZBL0vZXFNVKG+T1JMDX0pmrcQ@mail.gmail.com> (raw)
In-Reply-To: <CAOx9P4_HZeioFjGSb0hqFNEdk8dci+q6x=j7L9QGMoX-seUKdQ@mail.gmail.com>
Hello,
I did some proof-of-concept tests and got nice results. Here is my
current script (https://github.com/luizluca/wireguard-ipv6-pmtu)
It runs as a shell script and updates allowed_ips routes (ipv4 and
ipv6) when there is a cached PMTU to that endpoint (or the local
interface is using a smaller MTU). It just works as expected, avoiding
the fragmentation on the fly for IPv6-connected peers. It must run
periodically as "ip monitor" does not emit events for cached routes.
The best result is when you run it on both sides as it can only fix
the traffic from that endpoint.
As we have already discussed, standard IPv4 has a smaller header and
the default wireguard MTU has some room to fit most tunneling
protocols).
I hit some interesting problems along the way:
1) "ip route get" might fail if all routes that would match also
include a "from". You need to find out the source address wireguard is
using before testing the route. I'm digging it from the conntrack
table but I wish there was a better way.
2) PMTU runs in cycles. It generates a temporary cached route with MTU
once it receives a "packet too big" answer. However, until the route
is gone (expiring, for example), there is no way to generate a traffic
that will retrigger that "packet too big" or refresh the route. Once
the route is gone, the script will remove the MTU limitation,
wireguard might eventually trigger a new "packet too big" and, on its
next run, the script can adjust the MTU. We would need to add some
state to the script to know that a cached route is gone and try to
retrigger the PMTU before removing the MTU limitations. We could also
do some brute force approach like pinging every peer using a large
packet (1500-40-8) before each cycle or simply keep the MTU limitation
forever as it would not hurt that much.
For those who want to play with it, have fun!
Regards,
Luiz
next prev parent reply other threads:[~2023-08-28 22:24 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-08-22 20:39 Luiz Angelo Daros de Luca
2023-08-23 14:58 ` Marek Küthe
2023-08-23 17:14 ` Daniel Gröber
2023-08-23 19:01 ` Luiz Angelo Daros de Luca
2023-08-23 20:47 ` Hugo Slabbert
2023-08-28 22:22 ` Luiz Angelo Daros de Luca [this message]
2023-08-23 17:07 ` Daniel Gröber
2023-08-23 19:55 ` Luiz Angelo Daros de Luca
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAJq09z588fZZnQ8zy4TDGvGrmZBL0vZXFNVKG+T1JMDX0pmrcQ@mail.gmail.com \
--to=luizluca@gmail.com \
--cc=dxld@darkboxed.org \
--cc=hugo.slabbert@menlosecurity.com \
--cc=m-k-mailling-list@mk16.de \
--cc=wireguard@lists.zx2c4.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).