IPSec transport mode, mtu, fragmentation...
Andrey V. Elsukov
bu7cher at yandex.ru
Mon Dec 23 10:47:36 UTC 2019
On 23.12.2019 13:06, Victor Sudakov wrote:
>> ESP xform for transport mode just replaces protocol in IP header and
>> adds some info to the end of a packet.
>
> It is rather easy to verify your theory. If you are right, then
> disabling net.inet.tcp.path_mtu_discovery globally should remove the DF
> flags from the ESP packets too, right?
>
> Of course, net.inet.tcp.path_mtu_discovery=0 is not a solution, it's just
> a way to check the origin of the DF flag.
>
> And if you are right, what does it mean to us? Did you see
> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=242744 already ?
>
> My ultimate wish is to make transport mode work out of the box, without
> any workarounds like additional host routes or firewall rules.
I think the real problem is that PMTUD doesn't work correctly with
IPsec. Linux has special sysctl variabl ip_no_pmtu_disc and flag
SADB_SAFLAGS_NOPMTUDISC for SA that can disable PMTUD for IPv4 and IP_DF
flag will not be set. We can add some similar quirks, but it would be
better to fix PMTUD. We already have hundreds sysctl in our system and
remembering all them is a problem too.
--
WBR, Andrey V. Elsukov
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 554 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-net/attachments/20191223/de7531cb/attachment.sig>
More information about the freebsd-net
mailing list