Teredo MTU logic

[arno@natisbad.org (Arnaud Ebalard)]

Hi,

Last week I spent some time to have [IPsec-protected] Mobile IPv6
traffic be routed over a Teredo interface (everything on Linux using
miredo, umip and the IPsec stack but this is not system specific).

Basically, Teredo interfaces have a default MTU of 1280 bytes. This
prevents their _direct_ use as the underlying device for another
IPv6-in-IPv6 tunnel interface. To clarify things, I expected to be able
to have that kind of traffic on the wire:

      IPv4 / UDP / IPv6 / ESP / IPv6 / Data ...
 
       20     8     40    50    40      

By setting up a Teredo relay at the entry of the site for that specific
kind of traffic, I have the insurance that the traffic from the Mobile
Nodes to their Home Agent will not use another relay (all the traffic
goes to HAs inside the site). This means an higher MTU can be used on
the clients without problem. Keeping it low (1400, i.e. 1430 bytes on
the wire) avoids IPv4 PMTUD related issues. 

The question is quite simple: what is the expected way to have Teredo
clients get a higher MTU than the default one?  

Even if Teredo servers act as routers for their clients (RS/RA
exchange), I don't expect them to advertise an higher MTU value in
general. In fact, because the IPv4 PMTU on the path between a client and
a relay is specific to the pair (client, relay), this won't happen in
general. At the moment, my conclusion is that you have 2 solutions to
solve the issue: 

1) setting up a relay at the edge of the site with a higher MTU value
   and statically configure clients
2) setting up a relay at the edge of the site _and_ a server that the
   clients will use to acquire an higher MTU from. 

I don't like 2) because it consumes a public IPv4 address and increase
the attack surface. In all cases, setting up a relay is almost required
to improve efficiency (i.e. having a direct routing path).

Comments are welcome.

Regards,

a+