[nsp] ICMP: time exceeded (reassembly)

Bulger, Tim TBulger at ea.com
Wed Feb 4 11:42:27 EST 2004


Please observe example 4.  If DF bit is set in original packet, it is
copied to tunnel packet header.  Of course this only applies to packets
received that are less than the IP MTU of the tunnel as if they were
larger than that, they would get dropped with 'fragmentation needed and
DF set' ICMP message.

Example 4
The forwarding router at the tunnel source receives a 1476-byte datagram
with DF = 1 from the sending host. 

IP  1456 bytes TCP + data 

This router encapsulates the 1476-byte IP datagram inside GRE to get a
1500-byte GRE IP datagram. This GRE IP header will have the DF bit set
(DF = 1) since the original IP datagram had the DF bit set. This router
then forwards this packet to the tunnel destination. 

IP GRE IP 1456 bytes TCP 

Again, assume there is a router between the tunnel source and
destination with a link MTU of 1400. This router will not fragment the
tunnel packet since the DF bit is set (DF = 1). This router must drop
the packet and send an ICMP error message to the tunnel source router,
since that is the source IP address on the packet.

-----Original Message-----
From: Dmitry Volkov [mailto:dmitry.volkov at rogers.com] 
Sent: Wednesday, February 04, 2004 5:51 AM
To: Bulger, Tim; 'Victor Sudakov'
Cc: cisco-nsp at puck.nether.net
Subject: RE: [nsp] ICMP: time exceeded (reassembly)

> -----Original Message-----
> From: Bulger, Tim [mailto:TBulger at ea.com]
> Sent: Wednesday, February 04, 2004 1:18 AM
> To: Victor Sudakov; Dmitry Volkov
> Cc: Bulger, Tim; cisco-nsp at puck.nether.net
> Subject: RE: [nsp] ICMP: time exceeded (reassembly)
> > Does it make any difference? As already stated, the tunnel carrier
> > packets are being fragmented, not the tunnel payload.
> With GRE, the setting of the DF bit from the payload packet is carried
> over to the tunnel packet, and as another poster pointed out, 

DF bit is not copied from original header to GRE header

> there are
> subtle differences in the handling of fragmentation between IPIP and
> GRE.  Based on all that you've said, it sounds as if there is 
> some buggy
> behavior taking place somewhere as no fragmentation should be required
> in your environment.
> Good Luck 
> Tim

More information about the cisco-nsp mailing list