TUN-7575: Add option to disable PTMU discovery over QUIC

joliveirinha · joliveirinha · commit 0c8bc569305d · 2023-07-13T10:24:24.000+01:00
This commit implements the option to disable PTMU discovery for QUIC
connections.
QUIC finds the PMTU during startup by increasing Ping packet frames
until Ping responses are not received anymore, and it seems to stick
with that PMTU forever.

This is no problem if the PTMU doesn't change over time, but if it does
it may case packet drops.
We add this hidden flag for debugging purposes in such situations as a
quick way to validate if problems that are being seen can be solved by
reducing the packet size to the edge.

Note however, that this option may impact UDP proxying since we expect
being able to send UDP packets of 1280 bytes over QUIC.
So, this option should not be used when tunnel is being used for UDP
proxying.
diff --git a/cmd/cloudflared/tunnel/cmd.go b/cmd/cloudflared/tunnel/cmd.go
@@ -82,6 +82,11 @@ const (
 	// udpUnregisterSessionTimeout is how long we wait before we stop trying to unregister a UDP session from the edge
 	udpUnregisterSessionTimeoutFlag = "udp-unregister-session-timeout"
 
+	// quicDisablePathMTUDiscovery sets if QUIC should not perform PTMU discovery and use a smaller (safe) packet size.
+	// Packets will then be at most 1252 (IPv4) / 1232 (IPv6) bytes in size.
+	// Note that this may result in packet drops for UDP proxying, since we expect being able to send at least 1280 bytes of inner packets.
+	quicDisablePathMTUDiscovery = "quic-disable-pmtu-discovery"
+
 	// uiFlag is to enable launching cloudflared in interactive UI mode
 	uiFlag = "ui"
 
@@ -692,6 +697,13 @@ func tunnelFlags(shouldHide bool) []cli.Flag {
 			Value:  5 * time.Second,
 			Hidden: true,
 		}),
+		altsrc.NewBoolFlag(&cli.BoolFlag{
+			Name:    quicDisablePathMTUDiscovery,
+			EnvVars: []string{"TUNNEL_DISABLE_QUIC_PMTU"},
+			Usage:   "Use this option to disable PTMU discovery for QUIC connections. This will result in lower packet sizes. Not however, that this may cause instability for UDP proxying.",
+			Value:   false,
+			Hidden:  true,
+		}),
 		altsrc.NewStringFlag(&cli.StringFlag{
 			Name:  connectorLabelFlag,
 			Usage: "Use this option to give a meaningful label to a specific connector. When a tunnel starts up, a connector id unique to the tunnel is generated. This is a uuid. To make it easier to identify a connector, we will use the hostname of the machine the tunnel is running on along with the connector ID. This option exists if one wants to have more control over what their individual connectors are called.",
diff --git a/cmd/cloudflared/tunnel/configuration.go b/cmd/cloudflared/tunnel/configuration.go
@@ -240,6 +240,7 @@ func prepareTunnelConfig(
 		PQKexIdx:                    pqKexIdx,
 		MaxEdgeAddrRetries:          uint8(c.Int("max-edge-addr-retries")),
 		UDPUnregisterSessionTimeout: c.Duration(udpUnregisterSessionTimeoutFlag),
+		DisableQUICPathMTUDiscovery: c.Bool(quicDisablePathMTUDiscovery),
 	}
 	packetConfig, err := newPacketConfig(c, log)
 	if err != nil {
diff --git a/supervisor/tunnel.go b/supervisor/tunnel.go
@@ -70,6 +70,8 @@ type TunnelConfig struct {
 	PacketConfig     *ingress.GlobalRouterConfig
 
 	UDPUnregisterSessionTimeout time.Duration
+
+	DisableQUICPathMTUDiscovery bool
 }
 
 func (c *TunnelConfig) registrationOptions(connectionID uint8, OriginLocalIP string, uuid uuid.UUID) *tunnelpogs.RegistrationOptions {
@@ -596,14 +598,15 @@ func (e *EdgeTunnelServer) serveQUIC(
 	}
 
 	quicConfig := &quic.Config{
-		HandshakeIdleTimeout:  quicpogs.HandshakeIdleTimeout,
-		MaxIdleTimeout:        quicpogs.MaxIdleTimeout,
-		KeepAlivePeriod:       quicpogs.MaxIdlePingPeriod,
-		MaxIncomingStreams:    quicpogs.MaxIncomingStreams,
-		MaxIncomingUniStreams: quicpogs.MaxIncomingStreams,
-		EnableDatagrams:       true,
-		MaxDatagramFrameSize:  quicpogs.MaxDatagramFrameSize,
-		Tracer:                quicpogs.NewClientTracer(connLogger.Logger(), connIndex),
+		HandshakeIdleTimeout:    quicpogs.HandshakeIdleTimeout,
+		MaxIdleTimeout:          quicpogs.MaxIdleTimeout,
+		KeepAlivePeriod:         quicpogs.MaxIdlePingPeriod,
+		MaxIncomingStreams:      quicpogs.MaxIncomingStreams,
+		MaxIncomingUniStreams:   quicpogs.MaxIncomingStreams,
+		EnableDatagrams:         true,
+		MaxDatagramFrameSize:    quicpogs.MaxDatagramFrameSize,
+		Tracer:                  quicpogs.NewClientTracer(connLogger.Logger(), connIndex),
+		DisablePathMTUDiscovery: e.config.DisableQUICPathMTUDiscovery,
 	}
 
 	quicConn, err := connection.NewQUICConnection(

Original file line number	Diff line number	Diff line change
`@@ -240,6 +240,7 @@ func prepareTunnelConfig(`
`240`	`240`	`PQKexIdx: pqKexIdx,`
`241`	`241`	`MaxEdgeAddrRetries: uint8(c.Int("max-edge-addr-retries")),`
`242`	`242`	`UDPUnregisterSessionTimeout: c.Duration(udpUnregisterSessionTimeoutFlag),`
	`243`	`+ DisableQUICPathMTUDiscovery: c.Bool(quicDisablePathMTUDiscovery),`
`243`	`244`	`}`
`244`	`245`	`packetConfig, err := newPacketConfig(c, log)`
`245`	`246`	`if err != nil {`