IPSec transport mode, mtu, fragmentation...

Victor Sudakov vas at sibptus.ru
Sat Jan 18 11:50:07 UTC 2020 

Eugene Grosbein wrote:
> 
> >>>>> Back to the point. I've figured out that both encrypted (in transport
> >>>>> mode) and unencrypted TCP segments have the same MSS=1460. Then I'm
> >>>>> completely at a loss how the encrypted packets avoid being fragmented.
> >>>>> TCP has no way to know in advance that encryption overhead will be
> >>>>> added.
> > 
> > Here: http://admin.sibptus.ru/~vas/ftp-pcap.tar.gz you can find two
> > identical FTP sessions, the only difference being ipsec=off during one
> > session and ipsec=on during the other one.
> > 
> > As I said, in both the sessions MSS=1460 which is already odd, and I
> > can't explain to myself why file transfer still works without MSS
> > ajustment.
> > 
> > Moreover, something fishy is happening in the encrypted session: there
> > are many TCP retransmissions (I was capturing on the FTP server's side,
> > so there are many segments with the same sequence number). How would you
> > explain this? There are almost no retransmissions in the unencrypted session.
> > 
> > All this is happening in a lab environment (one bhyve VM is an FTP
> > server and the other downloads a file from the first), both VMs are on
> > the same bridge interface. There are almost 19,000 packets in the
> > encrypted file vs 12,000 in the plain file, I think because of those
> > excessive retransmissions.
> > 
> > Could the retransmissions be some artifact of the enc(4) interface I was
> > capturing the encrypted session on?
> 
> I doubt it. And I can't explain this, 


But do you agree that the traffic dumps contain an anomaly?

> but maybe it's work of PMTUD Blackhole detection?
> Look at sysctl net.inet.tcp | fgrep blackhole_

On both 192.168.246.10 and 192.168.246.11:

root at fbsd-test1:~vas # sysctl net.inet.tcp | fgrep blackhole_
net.inet.tcp.v6pmtud_blackhole_mss: 1220
net.inet.tcp.pmtud_blackhole_mss: 1200
net.inet.tcp.pmtud_blackhole_detection: 0

root at fbsd-test2:~ # sysctl net.inet.tcp | fgrep blackhole_
net.inet.tcp.v6pmtud_blackhole_mss: 1220
net.inet.tcp.pmtud_blackhole_mss: 1200
net.inet.tcp.pmtud_blackhole_detection: 0
root at fbsd-test2:~ # 


-- 
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
2:5005/49 at fidonet http://vas.tomsk.ru/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-net/attachments/20200118/bccf9475/attachment.sig>

More information about the freebsd-net mailing list