IPSec transport mode, mtu, fragmentation...

Andrey V. Elsukov bu7cher at yandex.ru
Mon Dec 23 12:02:06 UTC 2019

On 20.12.2019 18:23, Victor Sudakov wrote:
> Dear Colleagues,
> I've set up IPSec in transport mode between two regular FreeBSD hosts,
> for testing. Now TCP sessions between those hosts don't work normally
> any more. For example, scp is stalled almost immediately after starting
> a file transfer, and so is interactive ssh eventually.
> I feel that the problem is somehow related to MTU, MSS and fragmentation
> of ESP packets, because:
> 1. When IPSec is disabled, I can "ping -s1472 -D" the remote host all
> right. 
> 2. When IPSec is enabled, the maximum packet size I've been able to send
> through is "ping -s1414 -D". ("ping -s1415 -D host-b" already disappears
> in the void).

I think the silence from ping is due to IPsec works asynchronously.
I.e. when application sends data to the stack, it receives good feedback
and thinks that data was send successful then it waits for reply.
But IPsec consumes the data and then encrypted data will be send from
crypto thread via callback. And now they can not be fragmented due to
IP_DF bit, but there are no app waiting for this error code.

Similar problem is with TCP. Probably we can try to send PRC_MSGSIZE
notify when EMSGSIZE is returned from ip_output(). At least for TCP.

WBR, Andrey V. Elsukov

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 554 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-net/attachments/20191223/9b1ca46b/attachment.sig>

More information about the freebsd-net mailing list