Page MenuHomeVyOS Platform
Create Task
Maniphest T5797

MSS Clamping Not Applied to VRF Interface from MPLS Cloud
Open, NormalPublicBUG
Actions

Description

It seems as though MSS clamping is not being done in the case of an interface inside a VRF, and coming out of a MPLS cloud.

Traffic coming from the VRF, and destined to go into the MPLS cloud, is being clamped.

Interface config

ethernet eth0 {
    description "To TEST-CR-1"
    mtu 1450
}
ethernet eth1 {
    description "To TEST-CR-3"
    mtu 1450
}
ethernet eth2 {
    address xxx.xxx.31.169/24
    description CORE-NET
    hw-id xx:xx:xx:xx:xx:a1
    ip {
        adjust-mss 1300
    }
    mtu 9000
    vrf INTERNET
}
loopback lo {
    address xxx.xxx.2.2/32
}
macsec macsec0 {
    address xxx.xxx.12.1/30
    ip {
        adjust-mss 1300
    }
    mtu 1400
    security {
        cipher gcm-aes-256
        encrypt
        static {
            key xxxxxx
            peer TEST-CR-1 {
                key xxxxxx
                mac xx:xx:xx:xx:xx:de
            }
        }
    }
    source-interface eth0
}
macsec macsec1 {
    address xxx.xxx.23.1/30
    ip {
        adjust-mss 1300
    }
    mtu 1400
    security {
        cipher gcm-aes-256
        encrypt
        static {
            key xxxxxx
            peer TEST-CR-2 {
                key xxxxxx
                mac xx:xx:xx:xx:xx:de
            }
        }
    }
    source-interface eth1
}

nft rule

table ip raw {
        chain VYOS_TCP_MSS {
                type filter hook forward priority raw; policy accept;
                oifname "eth2" tcp flags syn / syn,rst tcp option maxseg size 1301-65535 tcp option maxseg size set 1300
                oifname "macsec1" tcp flags syn / syn,rst tcp option maxseg size 1301-65535 tcp option maxseg size set 1300
                oifname "macsec0" tcp flags syn / syn,rst tcp option maxseg size 1301-65535 tcp option maxseg size set 1300
        }

tcpdump of external interface

21:35:44.861147 bc:24:11:cf:36:a1 > a6:e1:1a:ef:ec:be, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 62, id 333, offset 0, flags [DF], proto TCP (6), length 60)
     10.0.31.169.33608 > 52.149.246.39.443: Flags [S], cksum 0x5b1b (correct), seq 1944170184, win 64240, options [mss 1460,sackOK,TS val 1477811659 ecr 0,nop,wscale 7], length 0
21:35:44.899297 a6:e1:1a:ef:ec:be > bc:24:11:cf:36:a1, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 48, id 0, offset 0, flags [DF], proto TCP (6), length 60)
    52.149.246.39.443 > 10.0.31.169.33608: Flags [S.], cksum 0x681c (correct), seq 1738005423, ack 1944170185, win 43440, options [mss 1460,sackOK,TS val 2107081551 ecr 1477811659,nop,wscale 7], length 0

Protocols config

bgp {
    neighbor xxx.xxx.12.12 {
        address-family {
            ipv4-vpn {
                nexthop-self {
                }
            }
        }
        remote-as XXXXXX
        update-source lo
    }
    neighbor xxx.xxx.32.32 {
        address-family {
            ipv4-vpn {
                nexthop-self {
                }
            }
        }
        remote-as XXXXXX
        update-source lo
    }
    parameters {
        router-id xxx.xxx.2.2
    }
    system-as 65001
}
mpls {
    interface macsec0
    interface macsec1
    ldp {
        discovery {
            transport-ipv4-address xxx.xxx.2.2
        }
        interface macsec0
        interface macsec1
        interface lo
        router-id xxx.xxx.2.2
    }
    parameters {
        no-propagate-ttl
    }
}
ospf {
    area 0 {
        network xxx.xxx.2.2/32
        network xxx.xxx.12.0/30
        network xxx.xxx.23.0/30
    }
    interface lo {
        passive {
        }
    }
    interface macsec0 {
    }
    interface macsec1 {
    }
}

VRF config

protocols {
    bgp {
        address-family {
            ipv4-unicast {
                export {
                    vpn
                }
                import {
                    vpn
                }
                label {
                    vpn {
                        export auto
                    }
                }
                rd {
                    vpn {
                        export xxx.xxx.2.2:1
                    }
                }
                redistribute {
                    static {
                    }
                }
                route-target {
                    vpn {
                        export xxx.xxx.2.2:1
                        import 65001:1
                    }
                }
            }
        }
        parameters {
            router-id xxx.xxx.2.2
        }
        system-as 65001
    }
    ospf {
        area 0 {
            network xxx.xxx.31.0/24
        }
    }
    static {
        route xxx.xxx.0.0/0 {
            next-hop xxx.xxx.31.241 {
            }
        }
    }
}
table 150

Details

Difficulty level
Unknown (require assessment)
Version
VyOS 1.5-rolling-202312010026
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Behavior change
Issue type
Bug (incorrect behavior)

Event Timeline

giga1699 created this task.Dec 3 2023, 9:52 PM
pasik added a subscriber: pasik.Dec 3 2023, 10:13 PM
giga1699 added a comment.Dec 3 2023, 11:43 PM

Adding trace, and monitoring, shows that the rule is never being hit.

oifname "eth2" tcp flags syn / syn,rst tcp option maxseg size 1301-65535 tcp option maxseg size set 1300 meta nftrace set 1 # handle 7
giga1699 added a comment.Dec 3 2023, 11:53 PM

tcpdump of internal MPLS interface during initial connection

23:51:06.518839 0a:e5:ec:30:0f:bb > a6:d4:24:a0:05:de, ethertype MPLS unicast (0x8847), length 103: MPLS (label 18, tc 0, ttl 255)
        (label 16, tc 0, [S], ttl 255)
        (tos 0x0, ttl 62, id 40636, offset 0, flags [none], proto UDP (17), length 81)
    10.0.17.11.53 > 10.10.10.6.44935: [udp sum ok] 46737 q: A? duck.com. 1/0/1 duck.com. [10s] A 40.89.244.232 ar: . OPT UDPsize=1232 (53)
23:51:06.522132 a6:d4:24:a0:05:de > 0a:e5:ec:30:0f:bb, ethertype MPLS unicast (0x8847), length 78: MPLS (label 80, tc 0, [S], ttl 63)
        (tos 0x0, ttl 63, id 20337, offset 0, flags [DF], proto TCP (6), length 60)
    10.10.10.6.49068 > 40.89.244.232.443: Flags [S], cksum 0xbba7 (correct), seq 3442740659, win 64240, options [mss 1460,sackOK,TS val 1084719903 ecr 0,nop,wscale 7], length 0
23:51:06.565968 0a:e5:ec:30:0f:bb > a6:d4:24:a0:05:de, ethertype MPLS unicast (0x8847), length 82: MPLS (label 18, tc 0, ttl 255)
        (label 16, tc 0, [S], ttl 255)
        (tos 0x0, ttl 49, id 0, offset 0, flags [DF], proto TCP (6), length 60)
    40.89.244.232.443 > 10.10.10.6.49068: Flags [S.], cksum 0x20fe (correct), seq 3795538799, ack 3442740660, win 43440, options [mss 1300,sackOK,TS val 4207328262 ecr 1084719903,nop,wscale 7], length 0
23:51:06.569007 a6:d4:24:a0:05:de > 0a:e5:ec:30:0f:bb, ethertype MPLS unicast (0x8847), length 70: MPLS (label 80, tc 0, [S], ttl 63)
        (tos 0x0, ttl 63, id 20338, offset 0, flags [DF], proto TCP (6), length 52)
    10.10.10.6.49068 > 40.89.244.232.443: Flags [.], cksum 0xf6b6 (correct), seq 1, ack 1, win 502, options [nop,nop,TS val 1084719949 ecr 4207328262], length 0
23:51:06.569007 a6:d4:24:a0:05:de > 0a:e5:ec:30:0f:bb, ethertype MPLS unicast (0x8847), length 472: MPLS (label 80, tc 0, [S], ttl 63)
        (tos 0x0, ttl 63, id 20339, offset 0, flags [DF], proto TCP (6), length 454)
    10.10.10.6.49068 > 40.89.244.232.443: Flags [P.], cksum 0x5441 (correct), seq 1:403, ack 1, win 502, options [nop,nop,TS val 1084719950 ecr 4207328262], length 402
23:51:06.612358 0a:e5:ec:30:0f:bb > a6:d4:24:a0:05:de, ethertype MPLS unicast (0x8847), length 74: MPLS (label 18, tc 0, ttl 255)
        (label 16, tc 0, [S], ttl 255)
        (tos 0x0, ttl 49, id 1361, offset 0, flags [DF], proto TCP (6), length 52)
    40.89.244.232.443 > 10.10.10.6.49068: Flags [.], cksum 0xf599 (correct), seq 1, ack 403, win 337, options [nop,nop,TS val 4207328309 ecr 1084719950], length 0
Viacheslav triaged this task as Normal priority.Jan 20 2024, 1:58 PM