IPSec transport mode, mtu, fragmentation...

[Andrey V. Elsukov]

On 23.12.2019 15:00, Andrey V. Elsukov wrote:
> On 20.12.2019 18:23, Victor Sudakov wrote:
>> Dear Colleagues,
>>
>> I've set up IPSec in transport mode between two regular FreeBSD hosts,
>> for testing. Now TCP sessions between those hosts don't work normally
>> any more. For example, scp is stalled almost immediately after starting
>> a file transfer, and so is interactive ssh eventually.
>>
>> I feel that the problem is somehow related to MTU, MSS and fragmentation
>> of ESP packets, because:
>>
>> 1. When IPSec is disabled, I can "ping -s1472 -D" the remote host all
>> right. 
>>
>> 2. When IPSec is enabled, the maximum packet size I've been able to send
>> through is "ping -s1414 -D". ("ping -s1415 -D host-b" already disappears
>> in the void).
> 
> I think the silence from ping is due to IPsec works asynchronously.
> I.e. when application sends data to the stack, it receives good feedback
> and thinks that data was send successful then it waits for reply.
> But IPsec consumes the data and then encrypted data will be send from
> crypto thread via callback. And now they can not be fragmented due to
> IP_DF bit, but there are no app waiting for this error code.
> 
> Similar problem is with TCP. Probably we can try to send PRC_MSGSIZE
> notify when EMSGSIZE is returned from ip_output(). At least for TCP.

Hi,

I prepared the PoC patch that should fix the problem with TCP and
transport mode IPsec. But I have not free time currently to properly
test and debug it. It is only compile-tested. But If you want, you can
try :)
Currently only IPv4 support is implemented.

https://people.freebsd.org/~ae/ipsec_transport_mode_ctlinput.diff

-- 
WBR, Andrey V. Elsukov

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 554 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-net/attachments/20200116/ae81eac7/attachment.sig>