MTU/MSS testing IPv6

Fri Apr 29 14:17:24 CEST 2016

As for testing tools, scamper is the only one I've found when I last looked
(in 2014?) it doesn't
support running on Linux out of the box.  http://wand.net.nz/scamper/pmtud
For example, you can do:

sudo scamper -F ipfw -I "tbit -M 1280 -t pmtud -S $sourceip -u $url"
$targetip

Where $url has to be an HTTP URL that returns a large enough object and
$targetip is what you want
to test.  On Linux, $sourceip is a dedicated non-primary address where you
have a firewall rule filter:

        ip6tables -I INPUT -p tcp --sport 80 -d $sourceip -j DROP

The right way to do this on Linux would be to add a new backend to scamper
but for this to work you have to disable the existing check that BSD ipfw
is working.
For example:

==== CUT HERE ====

--- scamper-cvs-20140530/scamper/tbit/scamper_tbit_do.c 2013-08-07
17:55:29.000000000 -0400
+++ scamper-cvs-mod/scamper/tbit/scamper_tbit_do.c      2014-10-21
14:07:33.053470510 -0400
@@ -2634,11 +2636,26 @@
       sfw.sfw_5tuple_sport = tbit->dport;
       sfw.sfw_5tuple_dport = tbit->sport;

+
+
+
+
+
+#if 1  /* Hack to run on Linux... */
+   run with:
+         scamper -F ipfw -I "tbit -M 1280 -t pmtud -S $sourceip -u $url"
$targetip
+    after putting in a firewall rule first to drop inputs on a dedicated
address:
+         ip6tables -I INPUT -p tcp --sport 80 -d $sourceip -j DROP
+     */
+
+      state->fw = NULL;
+#else
       if((state->fw = scamper_firewall_entry_get(&sfw)) == NULL)
        {
          scamper_debug(__func__, "could not get firewall entry");
          goto err;
        }
+#endif

       state->mode = MODE_SYN;
     }
==== CUT HERE ====















On Fri, Apr 29, 2016 at 2:30 AM, Mikael Abrahamsson <swmike at swm.pp.se>
wrote:

>
> Hi,
>
> I've run into a scenario where a website doesn't seem to be listening to
> PTB. I can reach them just fine from an MTU1500 clean IPv6 connection, but
> if I reach from a MTU1500<->MTU1480<->MTU1500 connection, it doesn't work.
> I don't get the big packets after SYN handshake.
>
> I've been considering asking iis.se (the .SE ccTLD registry) who are
> already running multiple testing tools for web sites and domain name
> owners) to include these kinds of testing, and perhaps develop more of them.
>
> So I'd like to gather some information and feedback here.
>
> 1. Are there are already FOSS tools out there that could be used for this,
> or would be good to enhance to include capability for this kind of testing.
> I don't want to waste work, and if I can enhance FOSS tools already
> existing and also solve my problem, that's a double win.
>
> 2. Test cases? From my testing, I've seen two different behavior just in
> the last two days:
>
> Site A as described in top paragraph, probably doesn't listen to PTB. Can
> be either because they drop PTBs, or traffic traverses a load
> balancer/IPv4v6proxy that doesn't correctly handle PTB.
>
> Site B which sends all data packets as fragments. This is most likely
> because they have some kind of AFTR where the IPv4 side has MTU1500 and the
> IPv6 side has MTU1320 or something like that.
>
> Neither of this is of course optimal, and I'd like to be able to test for
> these and tell the site owner that their solution either is broken or
> suboptimal (the fragment case isn't strictly broken, it's just not a good
> way to do things).
>
> Opinions? Thoughts?
>
> --
> Mikael Abrahamsson    email: swmike at swm.pp.se
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.cluenet.de/pipermail/ipv6-ops/attachments/20160429/48cf51b4/attachment.html 
