2 files changed, 12 insertions, 0 deletions

diff --git a/src/vnet/ipip/ipip.c b/src/vnet/ipip/ipip.c
index c49be099d9a..718463d7352 100644
--- a/src/vnet/ipip/ipip.c
+++ b/src/vnet/ipip/ipip.c
@@ -138,6 +138,10 @@ ipip6_fixup (vlib_main_t * vm, ip_adjacency_t * adj, vlib_buffer_t * b,
   ip6_header_t *ip6;
   const ipip_tunnel_t *t = data;
 
+  /* Must set locally originated otherwise we're not allowed to
+     fragment the packet later */
+  b->flags |= VNET_BUFFER_F_LOCALLY_ORIGINATED;
+
   ip6 = vlib_buffer_get_current (b);
   ip6->payload_length =
     clib_host_to_net_u16 (vlib_buffer_length_in_chain (vm, b) -
diff --git a/src/vnet/ipip/node.c b/src/vnet/ipip/node.c
index 60d6223d5f3..6171d3e5d71 100644
--- a/src/vnet/ipip/node.c
+++ b/src/vnet/ipip/node.c
@@ -99,6 +99,14 @@ ipip_input (vlib_main_t * vm, vlib_node_runtime_t * node,
 	  if (is_ipv6)
 	    {
 	      ip60 = vlib_buffer_get_current (b0);
+	      /* Check for outer fragmentation */
+	      if (ip60->protocol == IP_PROTOCOL_IPV6_FRAGMENTATION)
+		{
+		  next0 = IPIP_INPUT_NEXT_DROP;
+		  b0->error = node->errors[IPIP_ERROR_FRAGMENTED_PACKET];
+		  goto drop;
+		}
+
 	      vlib_buffer_advance (b0, sizeof (*ip60));
 	      ip_set (&src0, &ip60->src_address, false);
 	      ip_set (&dst0, &ip60->dst_address, false);