[nsd-users] Possible fragmentation issue transferring larger zones over IPv6?

Tue Apr 8 16:58:52 UTC 2014

On 4/8/2014 12:26 AM, W.C.A. Wijngaards wrote:
> On 03/30/2014 08:31 PM, Darren Pilgrim wrote:
>> It looks like something mid-path in the master's ISP that's
>> breaking PMTU.  I can get large pings between the slaves, but I can
>> only get large pings a few steps through the master's ISP.  I was
>> really hoping it was something dumb like I had left the fragment
>> rules out of my rulesets.
>
> But NSD uses TCP for zone transfers?  I thought that PMTU discovery
> does not really apply to TCP?  NSD is unable to create a TCP stream
> and send more than one data-packet worth of data on it?  And you
> report that NSD reports a timeout when that happens - like no more
> packets are arriving.  Some sort of stateful firewall that has a state
> problem?

PMTU doesn't apply here as it wasn't an MTU issue.  It was a 
fragmentation issue.  In IPv4, fragmentation is TCP's job.  The TCP 
payload is segmented and each packet on the wire has a TCP header at the 
top of the IP payload.  In IPv6, fragmentation is IP's job.  The system 
generates a single large TCP packet, the IP layer enables the 
fragmentation extension header, and segments the TCP packet itself.  The 
problem with that approach is the TCP header only exists in the first 
fragment and it's now 8 bytes down from where it would be without the 
frag header.

What happens when those fragments reach a stateful/DPI firewall should 
be obvious.  A well-written firewall will see the fragmentation header 
and perform the state check on the identification field of the frag 
header instead of the TCP port tuple.  In this case, though, the router 
was running an older version of pf that doesn't handle IPv6 fragments.

Prior to the issue, the zone AXFR in question was only 1151 bytes--small 
enough for a single packet.  When I added several new hosts to the zone 
with their A, AAAA, TXT, MX and SPF records, the AXFR grew to 1720 
bytes--large enough to fragment and not pass this errant router.  Once 
the ISP added "pass inet6 proto ipv6-frag all" to the ruleset for my 
port, it worked just fine.