IPSec transport mode, mtu, fragmentation...
Michael Tuexen
tuexen at freebsd.org
Fri Jan 17 10:30:27 UTC 2020
> On 17. Jan 2020, at 10:49, Andrey V. Elsukov <bu7cher at yandex.ru> wrote:
>
> On 17.01.2020 12:36, Victor Sudakov wrote:
>> Back to the point. I've figured out that both encrypted (in transport
>> mode) and unencrypted TCP segments have the same MSS=1460. Then I'm
>> completely at a loss how the encrypted packets avoid being fragmented.
>> TCP has no way to know in advance that encryption overhead will be
>> added.
>
> For IPsec endpoints (i.e. when you encrypt own sessions) TCP for each
> outgoing packet invokes IPSEC_HDRSIZE() method, that returns approximate
> size required for IPsec, and using this information it calculates MSS. I
> think this should work in this way.
Can't you then use that also when the MSS is computed to be sent out in
the MSS option? That would avoid using ICMP.
Best regards
Michael
>
> --
> WBR, Andrey V. Elsukov
>
More information about the freebsd-net
mailing list