-
Notifications
You must be signed in to change notification settings - Fork 38.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Amazon ELBs - ICMP and Network Maximum Transmission Unit (MTU) #24254
Comments
@ajohnstone Are you sure only echo request/reply is needed? Not Destination Unreachable? |
@rata
The full set of ICMP rules I typically allow are:
There maybe merit in considering other ICMP codes. |
Yes, and the AWS documentation says also Type 3. So, I really think icmp type 3 is needed for PMTU discovery. |
This sounds plausible to me. On Mon, May 9, 2016 at 3:52 PM, rata notifications@github.com wrote:
|
@justinsb This one lacks a priority. Think it's P1 (needs to be fixed for 1.3) or P2/P3 (can be fixed in 1.4)? |
Sounds like this should be easy enough to fix that we can try and get in 1.3, if someone more familiar with the AWS cloudprovider setup is willing to send a pr my way (or to @justinsb) that flips ICMP in the firewall rule |
This enables MTU discovery. Fixes kubernetes#24254
Automatic merge from submit-queue AWS: Enable ICMP Type 3 Code 4 for ELBs This enables MTU discovery. Fixes #24254
The firewall rules created on Amazon ELBs do not include ICMP. This means that issues can occur with PMTU. Please see below for more information.
When a HTTP/TCP request exceeds a certain payload size, with ELBs not allowing "ICMP request/reply", the request stalls. This is due to the ELB trying to send big packets to the client but the client dropping them since the MTU was higher than expected.
To avoid this ICMP traffic should be allowed on the ELB so they can negotiate the MTU:
When enabling ICMP traffic the client will be able to communicate with the ELB normally.
An example of what occurs when ICMP is not enabled.
Ideally security rules for ELBs should be allowed to be attached to an ELB via annotations and/or by default.
ICMP rules at a minimum to avoid this should cover:
* Please note that this does not just affect Amazon ELBs, but in addition direct access to instances too.*
The text was updated successfully, but these errors were encountered: