[Solved] IPv6 connectivity issue to `nginx.org` due to tunnel MTU
Alexander Huynh
alex at grande.coffee
Wed Oct 21 03:23:11 UTC 2020
Quick follow-up: after more digging I've found that I can solve it another way: using router advertisements to set the MTU.
Here's a tcpdump showing the problem, note how the MSS is 1440 bidirectionally:
IP6 (flowlabel 0x47dd6, hlim 64, next-header TCP (6) payload length: 44) 2001:db8::1.55652 > 2a05:d014:edb:5704::6.443: Flags [S], cksum 0xffc3 (correct), seq 3046951728, win 65535, options [mss 1440,nop,wscale 6,nop,nop,TS val 1569227211 ecr 0,sackOK,eol], length 0
IP6 (flowlabel 0x68d1d, hlim 41, next-header TCP (6) payload length: 40) 2a05:d014:edb:5704::6.443 > 2001:db8::1.55652: Flags [S.], cksum 0x1350 (correct), seq 2416054786, ack 3046951729, win 8192, options [mss 1440,sackOK,TS val 3541526609 ecr 1569227211,nop,wscale 0], length 0
And here's using MSS clamping to have the router rewrite MSS fields it sees, resulting in a smaller return MSS:
IP6 (flowlabel 0xf55e4, hlim 64, next-header TCP (6) payload length: 44) 2001:db8::1.55198 > 2a05:d014:edb:5704::6.443: Flags [S], cksum 0xe188 (correct), seq 2163962289, win 65535, options [mss 1440,nop,wscale 6,nop,nop,TS val 1569009648 ecr 0,sackOK,eol], length 0
IP6 (flowlabel 0x18b17, hlim 41, next-header TCP (6) payload length: 40) 2a05:d014:edb:5704::6.443 > 2001:db8::1.55198: Flags [S.], cksum 0x3197 (correct), seq 3274704991, ack 2163962290, win 8192, options [mss 1420,sackOK,TS val 3541303899 ecr 1569009648,nop,wscale 0], length 0
By instead using router advertisements, a co-operating OS doesn't have to rely on the router rewrites, and can just do the right thing™ from the start:
IP6 (flowlabel 0x8ce90, hlim 64, next-header TCP (6) payload length: 44) 2001:db8::1.55859 > 2a05:d014:edb:5704::6.443: Flags [S], cksum 0xf73a (correct), seq 3178375029, win 65535, options [mss 1420,nop,wscale 6,nop,nop,TS val 1569335937 ecr 0,sackOK,eol], length 0
IP6 (flowlabel 0x8e947, hlim 41, next-header TCP (6) payload length: 40) 2a05:d014:edb:5704::6.443 > 2001:db8::1.55859: Flags [S.], cksum 0x314c (correct), seq 2240678375, ack 3178375030, win 8192, options [mss 1440,sackOK,TS val 2237309444 ecr 1569335937,nop,wscale 0], length 0
Note the initial lower MSS of 1420.
Given the two options, I think using router advertisements is better than MSS clamping, for multiple reasons:
* the problem packets aren't even generated at all, vs. being constructed and rewritten
* MTU applies to more than just TCP, resolving potential UDP / ICMP / etc. issues
* RAs are more granular, and is more intuitive to apply to different interfaces, including VLANs
* fewer numbers need to be memorized, i.e. translating MTU to MSS
If you have an EdgeRouter and wish to use RAs, then replace the following MSS clamping commands:
> * set firewall options mss-clamp6 mss 1420
> * set firewall options mss-clamp6 interface-type all
With the following RA MTU commands:
* set interfaces switch switch0 ipv6 router-advert link-mtu 1480
Replace `switch switch0` with `ethernet ethX` for an ethernet interface.
Thanks again for reading, and I hope this helps someone down the line.
--
Alex
More information about the nginx
mailing list