IPSec transport mode, mtu, fragmentation...
Eugene Grosbein
eugen at grosbein.net
Mon Dec 23 10:55:39 UTC 2019
23.12.2019 17:45, Andrey V. Elsukov wrote:
> On 23.12.2019 13:06, Victor Sudakov wrote:
>>> ESP xform for transport mode just replaces protocol in IP header and
>>> adds some info to the end of a packet.
>>
>> It is rather easy to verify your theory. If you are right, then
>> disabling net.inet.tcp.path_mtu_discovery globally should remove the DF
>> flags from the ESP packets too, right?
>>
>> Of course, net.inet.tcp.path_mtu_discovery=0 is not a solution, it's just
>> a way to check the origin of the DF flag.
>>
>> And if you are right, what does it mean to us? Did you see
>> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=242744 already ?
>>
>> My ultimate wish is to make transport mode work out of the box, without
>> any workarounds like additional host routes or firewall rules.
>
> I think the real problem is that PMTUD doesn't work correctly with
> IPsec. Linux has special sysctl variabl ip_no_pmtu_disc and flag
> SADB_SAFLAGS_NOPMTUDISC for SA that can disable PMTUD for IPv4 and IP_DF
> flag will not be set. We can add some similar quirks, but it would be
> better to fix PMTUD. We already have hundreds sysctl in our system and
> remembering all them is a problem too.
It's true that PMTUD does not work with IPSec transport mode.
I think we could just clear DF bit off encapsulated transport mode packets unconditionally,
please take a look at last chunk of sample patch in the PR 242744:
https://bz-attachments.freebsd.org/attachment.cgi?id=210122
Sample patch creates another sysctl but we should do it unconditionally, don't we?
More information about the freebsd-net
mailing list