IPSec transport mode, mtu, fragmentation...

Andrey V. Elsukov bu7cher at yandex.ru
Mon Dec 23 12:19:11 UTC 2019

On 23.12.2019 15:12, Eugene Grosbein wrote:
> 23.12.2019 19:00, Andrey V. Elsukov wrote:
>> I think the silence from ping is due to IPsec works asynchronously.
>> I.e. when application sends data to the stack, it receives good feedback
>> and thinks that data was send successful then it waits for reply.
>> But IPsec consumes the data and then encrypted data will be send from
>> crypto thread via callback. And now they can not be fragmented due to
>> IP_DF bit, but there are no app waiting for this error code.
>> Similar problem is with TCP. Probably we can try to send PRC_MSGSIZE
>> notify when EMSGSIZE is returned from ip_output(). At least for TCP.
> What is "an application" in this case? Userland app dealing with sockets?
> Another part of the kernel? Some system daemon similar to natd?

TCP tries to automatically adjust MSS to avoid segments loss. It can
interoperate with ICMP to handle ICMP UNREACH messages. AFAIR, it works
via host cache. I need some time to remember how it works.

WBR, Andrey V. Elsukov

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 554 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-net/attachments/20191223/6ff5c761/attachment.sig>

More information about the freebsd-net mailing list