[mirror_frr.git] / nhrpd / README.kernel

KERNEL REQUIREMENTS
===================

The linux kernel has had various major regressions, performance
issues and subtle bugs (especially in pmtu). Here is a short list
of some -stable kernels and the first point release that is supposedly
working well with opennhrp/dmvpn:
  3.12.8 or later
  3.14.54 or later
  3.18.22 or later[1]

[1] But you need to apply the following two backported commits:
    3cdaa5be9e ipv4: Don't increase PMTU with Datagram Too Big message
    cb6ccf09d6 route: Use ipv4_mtu instead of raw rt_pmtu

See below for list of known issues in various kernel versions.

Kernels earlier than 3.12 need CONFIG_ARPD enabled in the configuration.
Many distributions do not enable it by default, and you may need to
compile your own kernel.

KERNEL BUGS
===========

DMVPN and mGRE support in the kernel has been brittle. There are various
regressions in multiple kernel versions.

This list tries to collect them to one source of information:

- forward pmtu is disabled intentionally (but tunnel devices rely on it)
  Broken since 3.14-rc1:
    commit "ipv4: introduce ip_dst_mtu_maybe_forward and protect forwarding path against pmtu spoofing"
  Workaround:
    Set sysctl net.ipv4.ip_forward_use_pmtu=1
    See: https://marc.info/?t=143636239500003&r=1&w=2 for details
    (Should fix kernel to have this by default on for tunnel devices)

- subtle path mtu mishandling issues
  Broken since (uncertain)
  Fixed in 4.1-rc2:
    commit "ipv4: Don't increase PMTU with Datagram Too Big message."
    commit "route: Use ipv4_mtu instead of raw rt_pmtu"

- fragmentation of large packets inside tunnel not working
  Broken since 3.11-rc1
    commit "ip_tunnels: Use skb-len to PMTU check."
  Fixed in 3.14.54, 3.18.22, 4.1.9, 4.2-rc3
    commit "ip_tunnel: fix ipv4 pmtu check to honor inner ip header df"

- ipsec will crash during xfrm gc
  Broke since 3.15-rc1
    commit "flowcache: Make flow cache name space aware"
  Fixed in 3.18.10, 4.0
    commit "flowcache: Fix kernel panic in flow_cache_flush_task"

- TSO on GRE tunnels failed, and resulted in very slow performance
  Broke since 3.14.24, 3.18-rc3
    commit "gre: Use inner mac length when computing tunnel length"
  Fixed in 3.14.30, 3.18.4
    commit "gre: fix the inner mac header in nbma tunnel xmit path"
    commit "gre: Set inner mac header in gro complete"

- NAPI GRO handling was broken; causing immediate crash (32-bit only?)
  Broken since 3.13-rc1
    commit "net: gro: allow to build full sized skb"
  Fixed 3.14.5, 3.15-rc7
    commit "net: gro: make sure skb->cb[] initial content has not to be zero"

- ip_gre dst caching broke NBMA GRE tunnels
  Broken since 3.14-rc1
  Fixed in 3.14.5, 3.15-rc6
    commit "ipv4: ip_tunnels: disable cache for nbma gre tunnels"

- Few packets can be lost when neighbor entry is in NUD_PROBE state,
  and there is continuous traffic to it.
  Broken since dawn of time
  Fixed in 3.15-rc1
    commit "neigh: probe application via netlink in NUD_PROBE"

- GRO was implemented for GRE, but the hw capabilities were not updated
  correctly. In practice forwarding from non-GRE (physical) interface
  to GRE interface with gro/gso/tx offloads enabled (also on the target
  interface) does not work properly.
  Broken around 3.9 to 3.11, need to check details.

- recvfrom() returned incorrect NBMA address, breaking NAT detection
  Broken since 3.10-rc1
    commit "GRE: Refactor GRE tunneling code."
  Fixed in 3.10.27, 3.12.8, 3.13-rc7
    commit "ip_gre: fix msg_name parsing for recvfrom/recvmsg"

- sendto() was broken causing opennhrp not work at all
  Broken since 3.10-rc1
    commit "GRE: Refactor GRE tunneling code."
  Fixed in 3.10.12, 3.11-rc6
    commit "ip_gre: fix ipgre_header to return correct offset"

- PMTU was broken due to GRE driver rewrite
  Broken since 3.10-rc1
    commit "GRE: Refactor GRE tunneling code."
  Fixed in 3.11-rc1
    commit "ip_tunnels: Use skb-len to PMTU check."

- PMTU was broken due to routing cache removal
  Broken since 3.6-rc1
    commit "ipv4: Cache input routes in fib_info nexthops"
  Fixed in 3.11-rc1
    commit "ipv4: use next hop exceptions also for input routes"
    + 3 other commits
    Patches exist for 3.10, but they were not approved to 3.10-stable.

- Race condition during bootup: changing ARP flag did not flush
  existing neighbor entries, causing problems if traffic was routed
  to gre interface before opennhrp was running.
  Broken since dawn of time
  Fixed in 3.11-rc1
    commit "arp: flush arp cache on IFF_NOARP change"

- Crash in IPsec
  Broken since 3.9-rc1
    commit "xfrm: removes a superfluous check and add a statistic"
  Fixed in 3.10-rc3
    commit "xfrm: properly handle invalid states as an error"

- An incorrect ip_gre change broke NHRP traffic over GRE
  Broken since 3.8-rc2
    commit "ip_gre: make ipgre_tunnel_xmit() not parse network header as IP unconditionally"
  Fixed in 3.8.5, 3.9-rc4
    commit "Revert "ip_gre: make ipgre_tunnel_xmit() not parse network header as IP unconditionally""

- Multicast traffic over mGRE was broken.
  Broken since 2.6.34-rc2
    commit "gre: fix hard header destination address checking"
  Fixed in 2.6.39-rc2
    commit "net: gre: provide multicast mappings for ipv4 and ipv6"

- Serious performance issues causing small throughput on medium to large DMVPN networks
  Broken since dawn of time
  Fixed in 2.6.35
    multiple commits rewriting ipsec caching

- Even though around 2.6.24 is the first version where opennhrp started
  to work, there has been various PMTU, performance, and functionality
  bugs before 2.6.34. That's one of the first version I consider stable
  wrt. to opennhrp functionality.
Commit	Line	Data
2fb975da TT	1	KERNEL REQUIREMENTS
	2	===================
	3
	4	The linux kernel has had various major regressions, performance
	5	issues and subtle bugs (especially in pmtu). Here is a short list
	6	of some -stable kernels and the first point release that is supposedly
	7	working well with opennhrp/dmvpn:
	8	3.12.8 or later
	9	3.14.54 or later
	10	3.18.22 or later[1]
	11
	12	[1] But you need to apply the following two backported commits:
	13	3cdaa5be9e ipv4: Don't increase PMTU with Datagram Too Big message
	14	cb6ccf09d6 route: Use ipv4_mtu instead of raw rt_pmtu
	15
	16	See below for list of known issues in various kernel versions.
	17
	18	Kernels earlier than 3.12 need CONFIG_ARPD enabled in the configuration.
	19	Many distributions do not enable it by default, and you may need to
	20	compile your own kernel.
	21
	22	KERNEL BUGS
	23	===========
	24
	25	DMVPN and mGRE support in the kernel has been brittle. There are various
	26	regressions in multiple kernel versions.
	27
	28	This list tries to collect them to one source of information:
	29
	30	- forward pmtu is disabled intentionally (but tunnel devices rely on it)
	31	Broken since 3.14-rc1:
	32	commit "ipv4: introduce ip_dst_mtu_maybe_forward and protect forwarding path against pmtu spoofing"
	33	Workaround:
	34	Set sysctl net.ipv4.ip_forward_use_pmtu=1
46d38021	35	See: https://marc.info/?t=143636239500003&r=1&w=2 for details
2fb975da TT	36	(Should fix kernel to have this by default on for tunnel devices)
	37
	38	- subtle path mtu mishandling issues
	39	Broken since (uncertain)
	40	Fixed in 4.1-rc2:
	41	commit "ipv4: Don't increase PMTU with Datagram Too Big message."
	42	commit "route: Use ipv4_mtu instead of raw rt_pmtu"
	43
	44	- fragmentation of large packets inside tunnel not working
	45	Broken since 3.11-rc1
	46	commit "ip_tunnels: Use skb-len to PMTU check."
	47	Fixed in 3.14.54, 3.18.22, 4.1.9, 4.2-rc3
	48	commit "ip_tunnel: fix ipv4 pmtu check to honor inner ip header df"
	49
	50	- ipsec will crash during xfrm gc
	51	Broke since 3.15-rc1
	52	commit "flowcache: Make flow cache name space aware"
	53	Fixed in 3.18.10, 4.0
	54	commit "flowcache: Fix kernel panic in flow_cache_flush_task"
	55
	56	- TSO on GRE tunnels failed, and resulted in very slow performance
	57	Broke since 3.14.24, 3.18-rc3
	58	commit "gre: Use inner mac length when computing tunnel length"
	59	Fixed in 3.14.30, 3.18.4
	60	commit "gre: fix the inner mac header in nbma tunnel xmit path"
	61	commit "gre: Set inner mac header in gro complete"
	62
	63	- NAPI GRO handling was broken; causing immediate crash (32-bit only?)
	64	Broken since 3.13-rc1
	65	commit "net: gro: allow to build full sized skb"
	66	Fixed 3.14.5, 3.15-rc7
	67	commit "net: gro: make sure skb->cb[] initial content has not to be zero"
	68
	69	- ip_gre dst caching broke NBMA GRE tunnels
	70	Broken since 3.14-rc1
	71	Fixed in 3.14.5, 3.15-rc6
	72	commit "ipv4: ip_tunnels: disable cache for nbma gre tunnels"
	73
	74	- Few packets can be lost when neighbor entry is in NUD_PROBE state,
	75	and there is continuous traffic to it.
	76	Broken since dawn of time
	77	Fixed in 3.15-rc1
	78	commit "neigh: probe application via netlink in NUD_PROBE"
	79
	80	- GRO was implemented for GRE, but the hw capabilities were not updated
	81	correctly. In practice forwarding from non-GRE (physical) interface
	82	to GRE interface with gro/gso/tx offloads enabled (also on the target
	83	interface) does not work properly.
	84	Broken around 3.9 to 3.11, need to check details.
	85
	86	- recvfrom() returned incorrect NBMA address, breaking NAT detection
	87	Broken since 3.10-rc1
	88	commit "GRE: Refactor GRE tunneling code."
	89	Fixed in 3.10.27, 3.12.8, 3.13-rc7
	90	commit "ip_gre: fix msg_name parsing for recvfrom/recvmsg"
	91
	92	- sendto() was broken causing opennhrp not work at all
	93	Broken since 3.10-rc1
	94	commit "GRE: Refactor GRE tunneling code."
	95	Fixed in 3.10.12, 3.11-rc6
	96	commit "ip_gre: fix ipgre_header to return correct offset"
	97
	98	- PMTU was broken due to GRE driver rewrite
	99	Broken since 3.10-rc1
100	commit "GRE: Refactor GRE tunneling code."
101	Fixed in 3.11-rc1
102	commit "ip_tunnels: Use skb-len to PMTU check."
103
104	- PMTU was broken due to routing cache removal
105	Broken since 3.6-rc1
106	commit "ipv4: Cache input routes in fib_info nexthops"
107	Fixed in 3.11-rc1
108	commit "ipv4: use next hop exceptions also for input routes"
109	+ 3 other commits
110	Patches exist for 3.10, but they were not approved to 3.10-stable.
111
112	- Race condition during bootup: changing ARP flag did not flush
113	existing neighbor entries, causing problems if traffic was routed
114	to gre interface before opennhrp was running.
115	Broken since dawn of time
116	Fixed in 3.11-rc1
117	commit "arp: flush arp cache on IFF_NOARP change"
118
119	- Crash in IPsec
120	Broken since 3.9-rc1
121	commit "xfrm: removes a superfluous check and add a statistic"
122	Fixed in 3.10-rc3
123	commit "xfrm: properly handle invalid states as an error"
124
125	- An incorrect ip_gre change broke NHRP traffic over GRE
126	Broken since 3.8-rc2
127	commit "ip_gre: make ipgre_tunnel_xmit() not parse network header as IP unconditionally"
128	Fixed in 3.8.5, 3.9-rc4
129	commit "Revert "ip_gre: make ipgre_tunnel_xmit() not parse network header as IP unconditionally""
130
131	- Multicast traffic over mGRE was broken.
132	Broken since 2.6.34-rc2
133	commit "gre: fix hard header destination address checking"
134	Fixed in 2.6.39-rc2
135	commit "net: gre: provide multicast mappings for ipv4 and ipv6"
136
137	- Serious performance issues causing small throughput on medium to large DMVPN networks
138	Broken since dawn of time
139	Fixed in 2.6.35
140	multiple commits rewriting ipsec caching
141
142	- Even though around 2.6.24 is the first version where opennhrp started
143	to work, there has been various PMTU, performance, and functionality
144	bugs before 2.6.34. That's one of the first version I consider stable
145	wrt. to opennhrp functionality.
146