Date: Mon, 23 Dec 2019 15:17:29 +0300 From: "Andrey V. Elsukov" <bu7cher@yandex.ru> To: Eugene Grosbein <eugen@grosbein.net>, Victor Sudakov <vas@sibptus.ru>, freebsd-net@freebsd.org Cc: Michael Tuexen <tuexen@freebsd.org> Subject: Re: IPSec transport mode, mtu, fragmentation... Message-ID: <6eeadbcf-1b0c-1116-adfa-279690f2be58@yandex.ru> In-Reply-To: <1c58795b-4f9f-1921-9057-500aef442ae2@grosbein.net> References: <20191220152314.GA55278@admin.sibptus.ru> <4cc83b85-dd30-8c0d-330e-aa549ce98c98@yandex.ru> <1c58795b-4f9f-1921-9057-500aef442ae2@grosbein.net>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --KeMw8o3QvWPkECmJzYiZMt0LxxAFjF6x6 Content-Type: multipart/mixed; boundary="hSvyhLUmzz7d0PegKimjjnUoh7YyAkQWb"; protected-headers="v1" From: "Andrey V. Elsukov" <bu7cher@yandex.ru> To: Eugene Grosbein <eugen@grosbein.net>, Victor Sudakov <vas@sibptus.ru>, freebsd-net@freebsd.org Cc: Michael Tuexen <tuexen@freebsd.org> Message-ID: <6eeadbcf-1b0c-1116-adfa-279690f2be58@yandex.ru> Subject: Re: IPSec transport mode, mtu, fragmentation... References: <20191220152314.GA55278@admin.sibptus.ru> <4cc83b85-dd30-8c0d-330e-aa549ce98c98@yandex.ru> <1c58795b-4f9f-1921-9057-500aef442ae2@grosbein.net> In-Reply-To: <1c58795b-4f9f-1921-9057-500aef442ae2@grosbein.net> --hSvyhLUmzz7d0PegKimjjnUoh7YyAkQWb Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 23.12.2019 15:12, Eugene Grosbein wrote: > 23.12.2019 19:00, Andrey V. Elsukov wrote: >=20 >> I think the silence from ping is due to IPsec works asynchronously. >> I.e. when application sends data to the stack, it receives good feedba= ck >> and thinks that data was send successful then it waits for reply. >> But IPsec consumes the data and then encrypted data will be send from >> crypto thread via callback. And now they can not be fragmented due to >> IP_DF bit, but there are no app waiting for this error code. >> >> Similar problem is with TCP. Probably we can try to send PRC_MSGSIZE >> notify when EMSGSIZE is returned from ip_output(). At least for TCP. >=20 > What is "an application" in this case? Userland app dealing with socket= s? > Another part of the kernel? Some system daemon similar to natd? TCP tries to automatically adjust MSS to avoid segments loss. It can interoperate with ICMP to handle ICMP UNREACH messages. AFAIR, it works via host cache. I need some time to remember how it works. --=20 WBR, Andrey V. Elsukov --hSvyhLUmzz7d0PegKimjjnUoh7YyAkQWb-- --KeMw8o3QvWPkECmJzYiZMt0LxxAFjF6x6 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQEzBAEBCAAdFiEE5lkeG0HaFRbwybwAAcXqBBDIoXoFAl4AsFkACgkQAcXqBBDI oXq7aQf+LsKqwUSsp0IXc4LAEISZWcjZqODCieRnUxVlhOJJEfsTJOtAjQFtCxcA sqx2vignPecSbd8XRKlI7leEwSFrpaCTYAA5ubqjgsYb+fL01vbDHRp9st1OZCI7 Ks9zuTlopcwG7uDF6CCq75Cg59l0bIifeskUz6KcNm6IdgEVFW3+Xu3lcGvexAPN A3F5O0Q5j8e6pF1ekzPb0PkNN3am3Dqvy/QS+S6Nl0EtiUkLpqJEdosBX1cbqF1N ID6TlWjTzqlVUI7h5hIXvhZ7ObYHvmOysxEymZvh7n+Nk+4nInMD5GKRNPhg5syw VKRUFzcQ1/ueHL8mS+BptVq+8xdVAw== =HHwU -----END PGP SIGNATURE----- --KeMw8o3QvWPkECmJzYiZMt0LxxAFjF6x6--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6eeadbcf-1b0c-1116-adfa-279690f2be58>