IPSec transport mode, mtu, fragmentation...
Andrey V. Elsukov
bu7cher at yandex.ru
Fri Jan 17 09:51:33 UTC 2020
On 17.01.2020 12:36, Victor Sudakov wrote:
> Back to the point. I've figured out that both encrypted (in transport
> mode) and unencrypted TCP segments have the same MSS=1460. Then I'm
> completely at a loss how the encrypted packets avoid being fragmented.
> TCP has no way to know in advance that encryption overhead will be
> added.
For IPsec endpoints (i.e. when you encrypt own sessions) TCP for each
outgoing packet invokes IPSEC_HDRSIZE() method, that returns approximate
size required for IPsec, and using this information it calculates MSS. I
think this should work in this way.
--
WBR, Andrey V. Elsukov
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 554 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-net/attachments/20200117/23777485/attachment.sig>
More information about the freebsd-net
mailing list