IPSec transport mode, mtu, fragmentation...
Victor Sudakov
vas at sibptus.ru
Fri Jan 17 15:04:50 UTC 2020
Andrey V. Elsukov wrote:
> On 17.01.2020 12:36, Victor Sudakov wrote:
> > Back to the point. I've figured out that both encrypted (in transport
> > mode) and unencrypted TCP segments have the same MSS=1460. Then I'm
> > completely at a loss how the encrypted packets avoid being fragmented.
> > TCP has no way to know in advance that encryption overhead will be
> > added.
>
> For IPsec endpoints (i.e. when you encrypt own sessions) TCP for each
> outgoing packet invokes IPSEC_HDRSIZE() method, that returns approximate
> size required for IPsec, and using this information it calculates MSS.
I observe in Wireshark that the MSS is the same in encrypted and
unencrypted segments.
> I think this should work in this way.
Obviouisly it is not working this way, if it were, I'd see different MSS
values, but this is not the case.
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/49 at fidonet http://vas.tomsk.ru/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-net/attachments/20200117/65ea1d37/attachment.sig>
More information about the freebsd-net
mailing list