Strange speed problems with ipv6 forwarding

Frank Steiner fsteiner-mail1 at bio.ifi.lmu.de
Thu Oct 8 14:58:31 CEST 2015


Hi,

Andras Toth wrote

> Hi Frank,
> 
> Are you sure the traffic does not go out to the internet or take an
> unexpected path? Check ping and traceroute to ensure the path is
> expected and round-trip times are low (as you'd expect on a LAN).
> Verify traceroute in both directions.

I got one step further. tracerout shows that route from inside (A)
outside (B) is A->F->B with F being my firewall.

But route from B to A goes through the router. I've setup all hosts
in the subnet in front of the firewall to route their packets through
the router R that our data center configured for this subnet.

Thus it's B->R->F->A. The same happens for ipv4, no ->R-> when
sending from A to B, but via R from B to A. While it's fast for
ipv4, it's slow for ipv6. So I added a route for the internal
subnet to the routing table of B so that the trace now shows
B->F->A. And then the copying between A and B is at full speed
of 112MB/s.

Now I thought maybe the router could be slow/misconfigured for ipv6
as ipv4 is so fast even with routing B to A via R.
I tested another ipv6 subnet outside the firewall, which is 
not connected to my firewall but to the same router. Say there is
a host named C in this subnet.
As C is not in a common subnet with F, the traceroute for both
directions is A<->F<->R<->C. And this connection is fast! Copying 
between A and C happens with 112 MB/s.

Two things I could imagine now: either the router is somehow
misconfigured only for our ipv6 subnet. 

Or is it possible that ipv6 has a problem with the route from A->B
being different than B->A? Sth. similar as you described here maybe?

> Another idea, perhaps something is misconfigured and the firewall
> thinks that A and B hosts are on the same subnet and it sends out an
> ICMPv6 Redirect packet for each packet transiting the firewall to
> signal the source of a better/direct path. Generating these packets
> might be CPU-intensive for the firewall and slow down the transfer.

Of course the fix for our subnet is simple by adding the additional
configuration route, but I'd like to understand what goes wrong as
soon as B routes to A via R and F and not just F. And why this is
only a problem for ipv6.

cu,
Frank

-- 
Dipl.-Inform. Frank Steiner   Web:  http://www.bio.ifi.lmu.de/~steiner/
Lehrstuhl f. Bioinformatik    Mail: http://www.bio.ifi.lmu.de/~steiner/m/
LMU, Amalienstr. 17           Phone: +49 89 2180-4049
80333 Muenchen, Germany       Fax:   +49 89 2180-99-4049
* Rekursion kann man erst verstehen, wenn man Rekursion verstanden hat. *


More information about the ipv6-ops mailing list