IPSec transport mode, mtu, fragmentation...
Victor Sudakov
vas at sibptus.ru
Thu Jan 16 15:53:16 UTC 2020
Eugene Grosbein wrote:
>
> > I prepared the PoC patch that should fix the problem with TCP and
> > transport mode IPsec. But I have not free time currently to properly
> > test and debug it. It is only compile-tested. But If you want, you can
> > try :)
> > Currently only IPv4 support is implemented.
> >
> > https://people.freebsd.org/~ae/ipsec_transport_mode_ctlinput.diff
>
> In fact, I've faced this problem long time ago too and I work around it with different approaches
> like "ipfw tcp-setmss" (MSS adjust) or by using IPSec transport mode
> with gif(4) interface removing DF bit out of encapsulated packets.
>
> I was going to test your patch with my home router but the patch does not apply to stable/11, at all.
> Do you have time to adjust it to stable/11 ?
What beats me is that I cannot reproduce this problem in bhyve. In this
packet dump: http://admin.sibptus.ru/~vas/ipsec1.pcap.gz I'm scp-ing a
50M file from 192.168.246.10 (bhyve guest) to 192.168.246.1 (bhyve
host), and I see no fragments, and the largets packet is 1466 bytes, and
the scp never stalls nor fails.
Why is it NOT broken this time?
Both hosts are 12.1-RELEASE-p1.
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/49 at fidonet http://vas.tomsk.ru/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-net/attachments/20200116/2460726c/attachment.sig>
More information about the freebsd-net
mailing list