IPSec transport mode, mtu, fragmentation...

Eugene Grosbein eugen at grosbein.net
Mon Dec 23 12:12:43 UTC 2019

23.12.2019 19:00, Andrey V. Elsukov wrote:

> I think the silence from ping is due to IPsec works asynchronously.
> I.e. when application sends data to the stack, it receives good feedback
> and thinks that data was send successful then it waits for reply.
> But IPsec consumes the data and then encrypted data will be send from
> crypto thread via callback. And now they can not be fragmented due to
> IP_DF bit, but there are no app waiting for this error code.
> Similar problem is with TCP. Probably we can try to send PRC_MSGSIZE
> notify when EMSGSIZE is returned from ip_output(). At least for TCP.

What is "an application" in this case? Userland app dealing with sockets?
Another part of the kernel? Some system daemon similar to natd?

More information about the freebsd-net mailing list