IPSec transport mode, mtu, fragmentation...
Eugene Grosbein
eugen at grosbein.net
Fri Jan 17 09:51:38 UTC 2020
17.01.2020 16:36, Victor Sudakov пишет:
> Back to the point. I've figured out that both encrypted (in transport
> mode) and unencrypted TCP segments have the same MSS=1460. Then I'm
> completely at a loss how the encrypted packets avoid being fragmented.
> TCP has no way to know in advance that encryption overhead will be
> added.
If outgoing route (f.e. default route) has lower MTU, kernel should respond with EMSGSIZE
to TCP's attempt to send oversized packet when PMTUD is enabled.
If PMTUD discovers that path mtu is low, it should store this information in the hostcache
(see sysctl net.inet.tcp.hostcache.list) and use hostcache's MTU for same goal.
More information about the freebsd-net
mailing list