IPSec transport mode, mtu, fragmentation...
Victor Sudakov
vas at sibptus.ru
Fri Jan 17 15:09:30 UTC 2020
Eugene Grosbein wrote:
> 17.01.2020 16:36, Victor Sudakov пишет:
>
> > Back to the point. I've figured out that both encrypted (in transport
> > mode) and unencrypted TCP segments have the same MSS=1460. Then I'm
> > completely at a loss how the encrypted packets avoid being fragmented.
> > TCP has no way to know in advance that encryption overhead will be
> > added.
>
> If outgoing route (f.e. default route) has lower MTU, kernel should respond with EMSGSIZE
> to TCP's attempt to send oversized packet when PMTUD is enabled.
>
> If PMTUD discovers that path mtu is low, it should store this information in the hostcache
> (see sysctl net.inet.tcp.hostcache.list) and use hostcache's MTU for same goal.
Should this result in a smaller MSS in TCP to such hosts?
PS "sysctl net.inet.tcp.hostcache.list | grep 192.168.246.11" yields
nothing, and yet 192.168.246.11 is the VM with which I have a transport
mode SA.
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/49 at fidonet http://vas.tomsk.ru/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-net/attachments/20200117/4d7ff91c/attachment.sig>
More information about the freebsd-net
mailing list