IPSec transport mode, mtu, fragmentation...

Eugene Grosbein eugen at grosbein.net
Mon Dec 23 11:08:38 UTC 2019

23.12.2019 18:00, Andrey V. Elsukov wrote:

> On 23.12.2019 13:55, Eugene Grosbein wrote:
>>> I think the real problem is that PMTUD doesn't work correctly with
>>> IPsec. Linux has special sysctl variabl ip_no_pmtu_disc and flag
>>> SADB_SAFLAGS_NOPMTUDISC for SA that can disable PMTUD for IPv4 and IP_DF
>>> flag will not be set. We can add some similar quirks, but it would be
>>> better to fix PMTUD. We already have hundreds sysctl in our system and
>>> remembering all them is a problem too.
>> It's true that PMTUD does not work with IPSec transport mode.
>> I think we could just clear DF bit off encapsulated transport mode packets unconditionally,
>> please take a look at last chunk of sample patch in the PR 242744:
>> https://bz-attachments.freebsd.org/attachment.cgi?id=210122
>> Sample patch creates another sysctl but we should do it unconditionally, don't we?
> As I said I didn't find that other OSes do this. Linux has enabled by
> PMTUD by default, strongswan doesn't set SADB_SAFLAGS_NOPMTUDISC flag,
> OpenBSD hasn't such quirk. Why should we add this instead of try to fix

RFC 2401 Appendix B https://tools.ietf.org/html/rfc2401#page-1-48 states
that packets generated by IPSec transport mode must be "fragmentable" over the path
and this is incompatible with DF=1.

More information about the freebsd-net mailing list