On 9/22/20 7:52 AM, Michael Jeanson wrote:
the test setup is bad. You have r1 dropping the MTU in VRF red, but not
telling VRF red how to send back the ICMP. e.g., for IPv4 add:
ip -netns r1 ro add vrf red 172.16.1.0/24 dev blue
do the same for v6.
Also, I do not see a reason for r2; I suggest dropping it. What you are
testing is icmp crossing VRF with route leaking, so there should not be
a need for r2 which leads to asymmetrical routing (172.16.1.0 via r1 and
the return via r2).
The objective of the test was to replicate a clients environment where
packets are crossing from a VRF which has a route back to the source to
one which doesn't while reaching a ttl of 0. If the route lookup for the
icmp error is done on the interface in the first VRF, it can be routed to
the source but not on the interface in the second VRF which is the
current behaviour for icmp errors generated while crossing between VRFs.
There may be a better test case that doesn't involve asymmetric routing
to test this but it's the only way I found to replicate this.
It should work without asymmetric routing; adding the return route to
the second vrf as I mentioned above fixes the FRAG_NEEDED problem. It
should work for TTL as well.
Adding a second pass on the tests with the return through r2 is fine,
but add a first pass for the more typical case.