VPN MTU limit breaks ssh connection to openssh 6.2p2 server

Ernst Kratschmer ernstk at us.ibm.com
Sat Nov 9 08:21:16 EST 2013 

Hi Eitan et al., 

at the moment I only have Fedora 18 / 19 servers and a Win7 client behind 
the firewall connecting via VPN available for testing. Neither system 
accepts a "ping -DF" command. From the Win7 client I can do a "ping -l 
size" (-l size  Send buffer size.) or "ping -f -l size" (-f  Set Don't 
Fragment flag in packet (IPv4-only).). In either case the maximum number 
of bytes I can pack into the ping request is 1252. This 1252 byte limit is 
the same for sending the ping request over VPN or over the LAN (I lost you 
as far as the purpose of this test is concerned).

I did some additional testing and noticed the following. With openssh 
6.1p1 the "cipher string" gets broken up into two packet which add up to 
exactly 840 bytes (same as the single packet at large MTU) when I set the 
server to a smaller MTU size of e.g. 1200 (<<1362 VPN limit). With openssh 
6.2p2 the "cipher string" gets broken up into two packet which add up to 
1464 bytes, which is different from 1460 bytes of the single packet at 
large MTU, when I set a server MTU size of e.g. 1200. This 4 byte 
difference only happens with openssh 6.2p2, when the "cipher string" gets 
split into two packets. 

Things get even more weird with openssh 6.2p2 and an MTU of e.g. 600. The 
"cipher string" gets broken up into 1160 and 384 bytes (again 4 more than 
the original 1460), and not into three packets as I had expected. After 
the 384 byte packet has been send from the server, both client and server 
engage in a long list of resets (R flag set). 


-Ernst




From:
Eitan Adler <lists at eitanadler.com>
To:
Ernst Kratschmer/Watson/IBM at IBMUS, 
Cc:
Alex Bligh <alex at alex.org.uk>, "openssh-unix-dev at mindrot.org" 
<openssh-unix-dev at mindrot.org>, Damien Miller <djm at mindrot.org>, Darren 
Tucker <dtucker at zip.com.au>
Date:
11/08/2013 12:53 PM
Subject:
Re: VPN MTU limit breaks ssh connection to openssh 6.2p2 server



On Fri, Nov 8, 2013 at 12:33 PM, Ernst Kratschmer <ernstk at us.ibm.com> 
wrote:
> Hi Alex,

[ top posting makes it difficult to follow ]

> I am sorry, but I don't know what "ping with DF set" is.

DF is the "Don't Fragment" bit

> I can run "ping -l size". This fails if size is greater than 1252, over
> VPN or LAN.

-l is not useful here.  You may want to use -g and -G.
By default the DF bit is not set.  You may use the -D flag to set it.

> Not sure if this helps.


-- 
Eitan Adler

More information about the openssh-unix-dev mailing list