IPSec transport mode, mtu, fragmentation...
Andrey V. Elsukov
bu7cher at yandex.ru
Mon Dec 23 11:02:06 UTC 2019
On 23.12.2019 13:55, Eugene Grosbein wrote:
>> I think the real problem is that PMTUD doesn't work correctly with
>> IPsec. Linux has special sysctl variabl ip_no_pmtu_disc and flag
>> SADB_SAFLAGS_NOPMTUDISC for SA that can disable PMTUD for IPv4 and IP_DF
>> flag will not be set. We can add some similar quirks, but it would be
>> better to fix PMTUD. We already have hundreds sysctl in our system and
>> remembering all them is a problem too.
>
> It's true that PMTUD does not work with IPSec transport mode.
>
> I think we could just clear DF bit off encapsulated transport mode packets unconditionally,
> please take a look at last chunk of sample patch in the PR 242744:
> https://bz-attachments.freebsd.org/attachment.cgi?id=210122
>
> Sample patch creates another sysctl but we should do it unconditionally, don't we?
As I said I didn't find that other OSes do this. Linux has enabled by
PMTUD by default, strongswan doesn't set SADB_SAFLAGS_NOPMTUDISC flag,
OpenBSD hasn't such quirk. Why should we add this instead of try to fix
PMTUD?
--
WBR, Andrey V. Elsukov
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 550 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-net/attachments/20191223/6701a6ad/attachment.sig>
More information about the freebsd-net
mailing list