792 – mtu and NAT wrong solution

Bug 792 - mtu and NAT wrong solution

Summary: mtu and NAT wrong solution

Status:	CLOSED INVALID

Alias:	None

Product:	Portable OpenSSH
Classification:	Unclassified
Component:	Miscellaneous (show other bugs)
Version:	-current
Hardware:	All Linux

Importance:	P4 major
Assignee:	OpenSSH Bugzilla mailing list

URL:
Keywords:

Depends on:
Blocks:

Reported:	2004-01-22 07:10 AEDT by Enrique Arizon Benito
Modified:	2004-04-14 12:24 AEST (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Enrique Arizon Benito 2004-01-22 07:10:54 AEDT

It's well known that ssh tunneling have problems crossing an IP masquerading
gateway and solutions point to reduce the interface MTU. But reducing the
interface MTU makes many other applications not to work or to run extremly
slowly. For example Windows clients behind the NAT can't connect to terminal
servers when I reduce it. 
So I think it must be considered a bug or a "requested feature" to let ssh
choose the length of its own data packets.

Due to this problem I can't properly use ssh for tunneling VNC or SMB shares or
even cvs (with -Z option activated).


P.S.:
 All the test I have made are based on ADSL 256/128 and RDSI connections.

 Also notice that all the VPN solutions I have tested provide for some method to
control packet length to avoid problems .( CIPE, POPTOP, OpenVPN) so maybe is
just a matter of "copy and paste" some free available code.

Comment 1 Damien Miller 2004-01-22 07:40:41 AEDT

MTU is not relevant to port forwarding, as it happens at the application layer.
Is that what you are referring to?

Comment 2 Enrique Arizon Benito 2004-01-22 08:20:10 AEDT

Well, the problem affect ssh in general when traversing a NAT (IP masquerading)
firewall. But since sshd is usually located in the gateway-NAT and used as Tunel
terminator the problem get mainly noticed when tunneling (port forwarding) some
other protocol (VNC, SMB, ...).

More info available on this issue in:
 http://www.snailbook.com/faq/mtu-mismatch.auto.html

Comment 3 Darren Tucker 2004-01-22 11:08:10 AEDT

Actually, the problem can affect any application, it's just that ssh's traffic
patterns hit the problem more often than most.

TCP has an elegant solution to the problem called "Path MTU Discovery" (which
the FAQ mentions it but does not detail): the stack sets the DF bit on the
outgoing TCP segments and relies on ICMP "fragmentation neeeded" messages being
sent back if the size exceeds the MTU on the way.  The problem is many firewalls
and NAT devices drop those ICMP packets.  Try turing it on if your hosts support it.

OpenSSH works with TCP.  IP Packet sizes and interface MTUs are not its problem.
 The MTU fix in the FAQ is a really a work-around for broken networks.  If you
aren't happy with the performance, fix your network.  Otherwise live with it.

BTW:
* if you have apps that don't work with lower MTUs either the app or the IP
stack is broken.  Note that you'll have to reduce the MTU on *all* of the
machines behind your NAT box.

* The other products you mention are all packet-based VPNS.  OpenSSH isn't.
(OpenVPN and CIPE use UDP for data packets, PoPToP uses IP directly).

* If you're using ADSL you're probably using PPPoE.  If that's the case, you
only need to reduce the MTU to 1492 (assuming you're using classic ethernet
encapsulation, if you're using 802.3 then subtract another 8 bytes).

Comment 4 Damien Miller 2004-04-14 12:24:20 AEST

Mass change of RESOLVED bugs to CLOSED