From owner-freebsd-security Thu Oct 18 5:27:18 2001 Delivered-To: freebsd-security@freebsd.org Received: from mine.kame.net (kame195.kame.net [203.178.141.195]) by hub.freebsd.org (Postfix) with ESMTP id 5D04B37B409 for ; Thu, 18 Oct 2001 05:27:15 -0700 (PDT) Received: from localhost ([3ffe:501:4819:cafe:260:1dff:fe21:f766]) by mine.kame.net (8.11.1/3.7W) with ESMTP id f9ICbIH02853; Thu, 18 Oct 2001 21:37:18 +0900 (JST) To: tariq_rashid@lineone.net Cc: freebsd-security@freebsd.org Subject: Re: MTU and KAME ipsec In-Reply-To: Your message of "Thu, 18 Oct 2001 19:36:37 +0900" <20011018193637H.sakane@kame.net> References: <20011018193637H.sakane@kame.net> X-Mailer: Cue version 0.6 (010810-1737/sakane) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Message-Id: <20011018212707A.sakane@kame.net> Date: Thu, 18 Oct 2001 21:27:07 +0900 From: Shoichi Sakane X-Dispatcher: imput version 20000228(IM140) Lines: 10 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > the following is an example from tcpdump which suggests that the kame ipsec does not take sufficient header length off? i'm transferring a 50MB binary test file from a freebsd box across a kame vpn net onto a win2k box. > > the tcpdump is similar on both vpn bsd endpoints. the vpn protected ftp server' tcpdump shows > 09:31:38.573809 192.168.1.2 > 192.168.1.1: (frag 9260:84@1456) [tos 0x8] > 09:31:38.575036 192.168.1.2 > 192.168.1.1: ESP(spi=0x47534254,seq=0x9f) (frag 9262:1456@0+) [tos 0x8] > 09:31:38.575133 192.168.1.2 > 192.168.1.1: (frag 9262:84@1456) [tos 0x8] in the case of ip forwarding, the fragment takes place after aplying esp to the packet. so this fragment is correct. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message