Bug 1908775

Summary: MTU is not set correctly for IPsec case
Product: OpenShift Container Platform Reporter: Mark Gray <mark.d.gray>
Component: NetworkingAssignee: Mark Gray <mark.d.gray>
Networking sub component: ovn-kubernetes QA Contact: Anurag saxena <anusaxen>
Status: CLOSED CURRENTRELEASE Docs Contact:
Severity: medium    
Priority: high CC: anbhat, anusaxen, kewang, mark.d.gray
Version: 4.7   
Target Milestone: ---   
Target Release: 4.7.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-02-08 17:18:09 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Mark Gray 2020-12-17 15:15:40 UTC 
Description of problem:

MTU should be adjusted when IPsec is enabled to account for packet overhead of adding IPsec headers.

Version-Release number of selected component (if applicable): OCP 4.7


How reproducible:


Steps to Reproduce:
1. Start cluster with IPsec disabled
2. Create Pod
3. Run `ip l | grep mtu` in pod to view MTU
4. Start cluster with IPsec enabled
5. Create Pod
6. Run `ip l | grep mtu` in pod to view MTU


Actual results:
* MTUs are the same value

Expected results:
* MTU with IPsec enabled should be adjusted to account for IPsec header

Additional info:
Comment 1 Anurag saxena 2020-12-17 15:31:38 UTC 
@mark.d.gray Whats the ipsec mtu overhead supposed to be?
Comment 3 Mark Gray 2020-12-18 15:58:06 UTC 
@anusaxen: The overhead is 46B at a maximum.
Comment 6 Ke Wang 2020-12-30 07:17:35 UTC 
Per doc https://access.redhat.com/documentation/en-us/openshift_container_platform/3.11/html/cluster_administration/admin-guide-ipsec, the ipsec overhead is 62B.
Comment 8 Mark Gray 2021-01-04 18:00:14 UTC 
(In reply to Ke Wang from comment #6)
> Per doc
> https://access.redhat.com/documentation/en-us/openshift_container_platform/3.
> 11/html/cluster_administration/admin-guide-ipsec, the ipsec overhead is 62B.

The overhead of IPsec depends on the IPsec mode (transport or tunnel) and the encryption algorithm used. I am unsure how it was configured in 3.11 but it may have been using different parameters. For 4.7, it should have a maximum overhead of 46B. The motivation for this is described in the commit message of the PR.