IPSec transport mode, mtu, fragmentation...
Andrey V. Elsukov
bu7cher at yandex.ru
Thu Jan 16 16:39:17 UTC 2020
On 16.01.2020 19:07, Victor Sudakov wrote:
> Eugene Grosbein wrote:
>>
>>> What beats me is that I cannot reproduce this problem in bhyve. In this
>>> packet dump: http://admin.sibptus.ru/~vas/ipsec1.pcap.gz I'm scp-ing a
>>> 50M file from 192.168.246.10 (bhyve guest) to 192.168.246.1 (bhyve
>>> host), and I see no fragments, and the largets packet is 1466 bytes, and
>>> the scp never stalls nor fails.
>>>
>>> Why is it NOT broken this time?
>>>
>>> Both hosts are 12.1-RELEASE-p1.
>>
>> I could not reproduce the problem with unpatched recent stable/11, either :-)
>
> Is there a way to view the MSS in the TCP segments before encryption or
> after decryption? I want to compare them in situations with IPSec
> enabled and disabled.
>
> I've never been able to see anything in "tcpdump -i enc0", probably it
> cannot do transport mode IPSec because the man page talks about "outer
> and inner header."
For transport mode inner and outer headers will be the same.
I guess the problem can be reproduced in the lab using the following config:
[Host A] <--> [Router] <--> [Host B]
IPsec should be configured between hosts A and B. Then you need to
reduce MTU on the router. This should lead to ICMP NEEDFRAG messages
from the router, and then host should correctly handle them.
--
WBR, Andrey V. Elsukov
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 554 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-net/attachments/20200116/3bca66c7/attachment.sig>
More information about the freebsd-net
mailing list