gVisor is nominally permitted to send packets up to 1280.
Wireguard adds 30 bytes (1310)
UDP adds 8 bytes (1318)
IP adds 20-60 bytes (1338-1378)

So, I think it really needs to be 1378 to be totally safe

Unfortunately, we can't filter out the devices at the bind, since tailscale binds to 0.0.0.0, meaning all interfaces.

We could potentially intercept and squash Disco packets coming from these interfaces, or artificially inflate Disco packets to the maximum size we expect from Wireguard (1310), such that only paths that handle packets that big can get discovered for p2p.

Disco doesn't have any length parameter built in, so if we padded the messages we'd have to change the protocol. That's a nightmare from back-compatibility standpoint.

Or, figure out how to predict the length of the ciphertext from the plaintext, and pad before we encrypt with NaCl.

Intercepting and squashing Disco packets from particular interfaces is quite difficult because of the way UDP sockets work. For incoming UDP packets we can get their source IP (where they are from), but don't normally get the destination IP or interface. There are some low-level system calls you can make to get this information, but they're not portable, so we'd be handling multiple OS implementations.

The next idea I had was to figure out which interface we'd be sending replies via by looking at the routing table. But again, there is no portable implementation. We'd have to do multiple OS implementations.

Looks like we can pad out Disco pings and pongs prior to encrypting with NaCl. (CallMeMaybe is only ever sent over DERP.)

This has some performance implications, but Disco packets don't get sent that often, so it's probably fine.

Testing on Linux, I've discovered that with the inflated ping/pong packets, the Don't Fragment (DF) flag only gets set if the packet is smaller than the interface MTU. If the interface MTU is smaller than the packet, then it fragments the packet.

1. I think this means that the strategy of inflating the ping/pong packets doesn't really work on its own to keep Tailscale from using interfaces with small MTU. It just fragments and reassembles the packet.

2. It also means that our understanding of the Cloudflare WARP VPN issue might be incomplete. The OS might have been fragmenting the packets --- which is bad for performance, sure, but I don't think it should completely break connectivity. It's possible that other OSes act differently, e.g. dropping UDP datagrams too big for the MTU rather than fragmenting, or that WARP refuses to forward fragmented packets (very odd if true). Or maybe fragmentated performance is just so bad that it brings TCP to its knees?

So, possible next steps:

There is a DONT_FRAGMENT socket option we could try setting. Not sure how portable it is, but in theory it might convince Linux to drop too-large packets instead of fragmenting them. Setting that on the tailscale UDP socket is basically us saying that we should always prefer DERP to a fragmented direct path, which may or may not be faster.

This whole thing is honestly turning into a boondoggle, IMO. We thought it would be easy, and prevent some customer heartburn by automatically preferring DERP over paths with "bad" MTU, but it's turning out to be very difficult and involved. Customers can already work around the issue by setting DISABLE_DIRECT, so maybe we should cut our losses: drop an MTU check into coder netcheck / coder support bundle and call it a day?

@sreya what say we close this issue after #13562 is merged? I don't think there are any tailnet changes we can make that would be worth our time.