IPSec transport mode, mtu, fragmentation...
Victor Sudakov
vas at sibptus.ru
Sun Jan 19 03:38:44 UTC 2020
Julian Elischer wrote:
> >
> > > Back to the point. I've figured out that both encrypted (in transport
> > > mode) and unencrypted TCP segments have the same MSS=1460. Then I'm
> > > completely at a loss how the encrypted packets avoid being fragmented.
> > > TCP has no way to know in advance that encryption overhead will be
> > > added.
> Using multiple routing tables we could add a mechanism to the ipsec
> code so that encapsulated sessions are referred to one routing table
> and that the "envelope" routes are referencing another (specified in
> ipsec setup) routing table. The two routing tables would have different
> MTUs. This mechanism/framework would also be useful for other
> tunneling protocols in general.
I think before inventing something so innovative and clever, we should
look at how IPSec transport mode and MTU adjustment is implemented in
other OSes (OpenBSD, Linux, even Windows). Any experts?
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/49 at fidonet http://vas.tomsk.ru/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-net/attachments/20200119/bcac4fdc/attachment.sig>
More information about the freebsd-net
mailing list