From owner-freebsd-net@freebsd.org Mon Dec 23 12:19:11 2019 Return-Path: Delivered-To: freebsd-net@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 727091EEC6D for ; Mon, 23 Dec 2019 12:19:11 +0000 (UTC) (envelope-from bu7cher@yandex.ru) Received: from forward105j.mail.yandex.net (forward105j.mail.yandex.net [IPv6:2a02:6b8:0:801:2::108]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 47hJLQ0Znbz4ZyL; Mon, 23 Dec 2019 12:19:09 +0000 (UTC) (envelope-from bu7cher@yandex.ru) Received: from mxback28g.mail.yandex.net (mxback28g.mail.yandex.net [IPv6:2a02:6b8:0:1472:2741:0:8b7:328]) by forward105j.mail.yandex.net (Yandex) with ESMTP id 3D7FDB213F6; Mon, 23 Dec 2019 15:19:06 +0300 (MSK) Received: from sas2-ee0cb368bd51.qloud-c.yandex.net (sas2-ee0cb368bd51.qloud-c.yandex.net [2a02:6b8:c08:b7a3:0:640:ee0c:b368]) by mxback28g.mail.yandex.net (mxback/Yandex) with ESMTP id jzrIlWXA5j-J6v4qD2J; Mon, 23 Dec 2019 15:19:06 +0300 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1577103546; bh=fPiDDtzyBWcKokDa/iho897O3ukDPrOgzpgWWZlqOQM=; h=In-Reply-To:From:To:Subject:Cc:Date:References:Message-ID; b=V+OCrxFH/2GOGTEqfEJvLj2cjUkwqEQ75vOlNr1NNrFr4QYxAzAqyDY2RUzpqNJDY EN2lNwKwJB3ns8ZQG2SAGYzldRG4SZE4wQjhjU3HU9L/JLP9AY/OKtpTQqw5l2WxzS hwUOiPI6snXHJe337LEQcnj7xDBa5KDbC6yJXSV8= Received: by sas2-ee0cb368bd51.qloud-c.yandex.net (smtp/Yandex) with ESMTPSA id q7ywT2dvyk-J5Wu3541; Mon, 23 Dec 2019 15:19:05 +0300 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) (Client certificate not present) Subject: Re: IPSec transport mode, mtu, fragmentation... To: Eugene Grosbein , Victor Sudakov , freebsd-net@freebsd.org Cc: Michael Tuexen References: <20191220152314.GA55278@admin.sibptus.ru> <4cc83b85-dd30-8c0d-330e-aa549ce98c98@yandex.ru> <1c58795b-4f9f-1921-9057-500aef442ae2@grosbein.net> From: "Andrey V. Elsukov" Openpgp: id=E6591E1B41DA1516F0C9BC0001C5EA0410C8A17A Autocrypt: addr=bu7cher@yandex.ru; prefer-encrypt=mutual; keydata= mQENBEwBF1kBCADB9sXFhBEUy8qQ4X63Y8eBatYMHGEFWN9ypS5lI3RE6qQW2EYbxNk7qUC5 21YIIS1mMFVBEfvR7J9uc7yaYgFCEb6Sce1RSO4ULN2mRKGHP3/Sl0ijZEjWHV91hY1YTHEF ZW/0GYinDf56sYpDDehaBF5wkWIo1+QK5nmj3vl0DIDCMNd7QEiWpyLVwECgLX2eOAXByT8B bCqVhJGcG6iFP7/B9Ll6uX5gb8thM9LM+ibwErDBVDGiOgvfxqidab7fdkh893IBCXa82H9N CNwnEtcgzh+BSKK5BgvPohFMgRwjti37TSxwLu63QejRGbZWSz3OK3jMOoF63tCgn7FvABEB AAG0JUFuZHJleSBWLiBFbHN1a292IDxidTdjaGVyQHlhbmRleC5ydT6JATgEEwECACIFAkwB F1kCGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEAHF6gQQyKF6qmYIAI6ekfm1VA4T vqankI1ISE6ku4jV7UlpIQlEbE7/8n3Zd6teJ+pGOQhN5qk8QE7utdPdbktAzi+x7LIJVzUw 4TywZLXGrkP7VKYkfg6oyCGyzITghefQeJtr2TN4hYCkzPWpylkue8MtmqfZv/6royqwTbN+ +E09FQNvTgRUYJYTeQ1qOsxNRycwvw3dr2rOfuxShbzaHBB1pBIjGrMg8fC5pd65ACH5zuFV A0CoTNGMDrEZSfBkTW604UUHFFXeCoC3dwDZRKOWJ3GmMXns65Ai5YkA63BSHEE1Qle3VBhd cG1w0CB5FBV3pB27UVnf0jEbysrDqW4qN7XMRFSWNAy5AQ0ETAEXWQEIAJ2p6l9LBoqdH/0J PEFDY2t2gTvAuzz+8zs3R03dFuHcNbOwjvWCG0aOmVpAzkRa8egn5JB4sZaFUtKPYJEQ1Iu+ LUBwgvtXf4vWpzC67zs2dDuiW4LamH5p6xkTD61aHR7mCB3bg2TUjrDWn2Jt44cvoYxj3dz4 S49U1rc9ZPgD5axCNv45j72tggWlZvpefThP7xT1OlNTUqye2gAwQravXpZkl5JG4eOqJVIU X316iE3qso0iXRUtO7OseBf0PiVmk+wCahdreHOeOxK5jMhYkPKVn7z1sZiB7W2H2TojbmcK HZC22sz7Z/H36Lhg1+/RCnGzdEcjGc8oFHXHCxUAEQEAAYkBHwQYAQIACQUCTAEXWQIbDAAK CRABxeoEEMihegkYCAC3ivGYNe2taNm/4Nx5GPdzuaAJGKWksV+w9mo7dQvU+NmI2az5w8vw 98OmX7G0OV9snxMW+6cyNqBrVFTu33VVNzz9pnqNCHxGvj5dL5ltP160JV2zw2bUwJBYsgYQ WfyJJIM7l3gv5ZS3DGqaGIm9gOK1ANxfrR5PgPzvI9VxDhlr2juEVMZYAqPLEJe+SSxbwLoz BcFCNdDAyXcaAzXsx/E02YWm1hIWNRxanAe7Vlg7OL+gvLpdtrYCMg28PNqKNyrQ87LQ49O9 50IIZDOtNFeR0FGucjcLPdS9PiEqCoH7/waJxWp6ydJ+g4OYRBYNM0EmMgy1N85JJrV1mi5i Message-ID: <6eeadbcf-1b0c-1116-adfa-279690f2be58@yandex.ru> Date: Mon, 23 Dec 2019 15:17:29 +0300 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:60.0) Gecko/20100101 Thunderbird/60.8.0 MIME-Version: 1.0 In-Reply-To: <1c58795b-4f9f-1921-9057-500aef442ae2@grosbein.net> Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="KeMw8o3QvWPkECmJzYiZMt0LxxAFjF6x6" X-Rspamd-Queue-Id: 47hJLQ0Znbz4ZyL X-Spamd-Bar: ------ Authentication-Results: mx1.freebsd.org; dkim=pass header.d=yandex.ru header.s=mail header.b=V+OCrxFH; dmarc=pass (policy=none) header.from=yandex.ru; spf=pass (mx1.freebsd.org: domain of bu7cher@yandex.ru designates 2a02:6b8:0:801:2::108 as permitted sender) smtp.mailfrom=bu7cher@yandex.ru X-Spamd-Result: default: False [-6.20 / 15.00]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2a02:6b8:0::/52]; FREEMAIL_FROM(0.00)[yandex.ru]; HAS_ATTACHMENT(0.00)[]; RCVD_COUNT_THREE(0.00)[3]; DKIM_TRACE(0.00)[yandex.ru:+]; DMARC_POLICY_ALLOW(-0.50)[yandex.ru,none]; SIGNED_PGP(-2.00)[]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:+,3:~]; RCVD_TLS_LAST(0.00)[]; RCVD_IN_DNSWL_LOW(-0.10)[8.0.1.0.0.0.0.0.0.0.0.0.2.0.0.0.1.0.8.0.0.0.0.0.8.b.6.0.2.0.a.2.list.dnswl.org : 127.0.5.1]; ASN(0.00)[asn:13238, ipnet:2a02:6b8::/32, country:RU]; MID_RHS_MATCH_FROM(0.00)[]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[yandex.ru:s=mail]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[4]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.20)[multipart/signed,multipart/mixed,text/plain]; IP_SCORE(0.00)[ip: (-9.31), ipnet: 2a02:6b8::/32(-4.71), asn: 13238(-3.80), country: RU(0.01)]; FREEMAIL_ENVFROM(0.00)[yandex.ru]; IP_SCORE_FREEMAIL(0.00)[]; DWL_DNSWL_LOW(-1.00)[yandex.ru.dwl.dnswl.org : 127.0.5.1]; TO_MATCH_ENVRCPT_SOME(0.00)[] X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Dec 2019 12:19:11 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --KeMw8o3QvWPkECmJzYiZMt0LxxAFjF6x6 Content-Type: multipart/mixed; boundary="hSvyhLUmzz7d0PegKimjjnUoh7YyAkQWb"; protected-headers="v1" From: "Andrey V. Elsukov" To: Eugene Grosbein , Victor Sudakov , freebsd-net@freebsd.org Cc: Michael Tuexen Message-ID: <6eeadbcf-1b0c-1116-adfa-279690f2be58@yandex.ru> Subject: Re: IPSec transport mode, mtu, fragmentation... References: <20191220152314.GA55278@admin.sibptus.ru> <4cc83b85-dd30-8c0d-330e-aa549ce98c98@yandex.ru> <1c58795b-4f9f-1921-9057-500aef442ae2@grosbein.net> In-Reply-To: <1c58795b-4f9f-1921-9057-500aef442ae2@grosbein.net> --hSvyhLUmzz7d0PegKimjjnUoh7YyAkQWb Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 23.12.2019 15:12, Eugene Grosbein wrote: > 23.12.2019 19:00, Andrey V. Elsukov wrote: >=20 >> I think the silence from ping is due to IPsec works asynchronously. >> I.e. when application sends data to the stack, it receives good feedba= ck >> and thinks that data was send successful then it waits for reply. >> But IPsec consumes the data and then encrypted data will be send from >> crypto thread via callback. And now they can not be fragmented due to >> IP_DF bit, but there are no app waiting for this error code. >> >> Similar problem is with TCP. Probably we can try to send PRC_MSGSIZE >> notify when EMSGSIZE is returned from ip_output(). At least for TCP. >=20 > What is "an application" in this case? Userland app dealing with socket= s? > Another part of the kernel? Some system daemon similar to natd? TCP tries to automatically adjust MSS to avoid segments loss. It can interoperate with ICMP to handle ICMP UNREACH messages. AFAIR, it works via host cache. I need some time to remember how it works. --=20 WBR, Andrey V. Elsukov --hSvyhLUmzz7d0PegKimjjnUoh7YyAkQWb-- --KeMw8o3QvWPkECmJzYiZMt0LxxAFjF6x6 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQEzBAEBCAAdFiEE5lkeG0HaFRbwybwAAcXqBBDIoXoFAl4AsFkACgkQAcXqBBDI oXq7aQf+LsKqwUSsp0IXc4LAEISZWcjZqODCieRnUxVlhOJJEfsTJOtAjQFtCxcA sqx2vignPecSbd8XRKlI7leEwSFrpaCTYAA5ubqjgsYb+fL01vbDHRp9st1OZCI7 Ks9zuTlopcwG7uDF6CCq75Cg59l0bIifeskUz6KcNm6IdgEVFW3+Xu3lcGvexAPN A3F5O0Q5j8e6pF1ekzPb0PkNN3am3Dqvy/QS+S6Nl0EtiUkLpqJEdosBX1cbqF1N ID6TlWjTzqlVUI7h5hIXvhZ7ObYHvmOysxEymZvh7n+Nk+4nInMD5GKRNPhg5syw VKRUFzcQ1/ueHL8mS+BptVq+8xdVAw== =HHwU -----END PGP SIGNATURE----- --KeMw8o3QvWPkECmJzYiZMt0LxxAFjF6x6--