Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 16 Jan 2020 16:39:38 +0300
From:      "Andrey V. Elsukov" <bu7cher@yandex.ru>
To:        Victor Sudakov <vas@sibptus.ru>, freebsd-net@freebsd.org
Cc:        Michael Tuexen <tuexen@freebsd.org>
Subject:   Re: IPSec transport mode, mtu, fragmentation...
Message-ID:  <f9b7357e-ced1-4ce5-40d5-8e3dcad42442@yandex.ru>
In-Reply-To: <4cc83b85-dd30-8c0d-330e-aa549ce98c98@yandex.ru>
References:  <20191220152314.GA55278@admin.sibptus.ru> <4cc83b85-dd30-8c0d-330e-aa549ce98c98@yandex.ru>

next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--UdI63y4JQTEXyNrorslBaTkHKDLjaY5ti
Content-Type: multipart/mixed; boundary="lxdILHK8pmzGhibobjOpuOG0LiMgiYaAh";
 protected-headers="v1"
From: "Andrey V. Elsukov" <bu7cher@yandex.ru>
To: Victor Sudakov <vas@sibptus.ru>, freebsd-net@freebsd.org
Cc: Michael Tuexen <tuexen@freebsd.org>
Message-ID: <f9b7357e-ced1-4ce5-40d5-8e3dcad42442@yandex.ru>
Subject: Re: IPSec transport mode, mtu, fragmentation...
References: <20191220152314.GA55278@admin.sibptus.ru>
 <4cc83b85-dd30-8c0d-330e-aa549ce98c98@yandex.ru>
In-Reply-To: <4cc83b85-dd30-8c0d-330e-aa549ce98c98@yandex.ru>

--lxdILHK8pmzGhibobjOpuOG0LiMgiYaAh
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable

On 23.12.2019 15:00, Andrey V. Elsukov wrote:
> On 20.12.2019 18:23, Victor Sudakov wrote:
>> Dear Colleagues,
>>
>> I've set up IPSec in transport mode between two regular FreeBSD hosts,=

>> for testing. Now TCP sessions between those hosts don't work normally
>> any more. For example, scp is stalled almost immediately after startin=
g
>> a file transfer, and so is interactive ssh eventually.
>>
>> I feel that the problem is somehow related to MTU, MSS and fragmentati=
on
>> of ESP packets, because:
>>
>> 1. When IPSec is disabled, I can "ping -s1472 -D" the remote host all
>> right.=20
>>
>> 2. When IPSec is enabled, the maximum packet size I've been able to se=
nd
>> through is "ping -s1414 -D". ("ping -s1415 -D host-b" already disappea=
rs
>> in the void).
>=20
> I think the silence from ping is due to IPsec works asynchronously.
> I.e. when application sends data to the stack, it receives good feedbac=
k
> and thinks that data was send successful then it waits for reply.
> But IPsec consumes the data and then encrypted data will be send from
> crypto thread via callback. And now they can not be fragmented due to
> IP_DF bit, but there are no app waiting for this error code.
>=20
> Similar problem is with TCP. Probably we can try to send PRC_MSGSIZE
> notify when EMSGSIZE is returned from ip_output(). At least for TCP.

Hi,

I prepared the PoC patch that should fix the problem with TCP and
transport mode IPsec. But I have not free time currently to properly
test and debug it. It is only compile-tested. But If you want, you can
try :)
Currently only IPv4 support is implemented.

https://people.freebsd.org/~ae/ipsec_transport_mode_ctlinput.diff

--=20
WBR, Andrey V. Elsukov


--lxdILHK8pmzGhibobjOpuOG0LiMgiYaAh--

--UdI63y4JQTEXyNrorslBaTkHKDLjaY5ti
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQEzBAEBCAAdFiEE5lkeG0HaFRbwybwAAcXqBBDIoXoFAl4gZ5oACgkQAcXqBBDI
oXoW4Af8CBfDEcD9xj6PJ7etRJwiQiTjI5j5SD8NhSTwxZpRLUsIN3V9FCeeivcM
QrYh32Gtgu/QijHQaTZlLo6kdRpfXHDzG6GDXXW3MI1y/lANlwAz7zfMTKB/fgjk
XoOE/oho35dVFS8xKFNfoAXFiEGN9AtpAp75oOFvze8dlVvxS5CnxSZ5R3XHWBnw
IbqltrZxJguCRFcdyazchAcHNzgLlL7WOzXmlCkMS1UhHbgVv5qWxJacbBu1scg6
loIccnu0PhEgxEqhxgq19ruF+nsgHdHhVTNnqdia6egmHEHoyzHhMd5e7jnC+cj2
TuOM+QCdbCs2bbhzvE63OEqH0m2j+w==
=UuVz
-----END PGP SIGNATURE-----

--UdI63y4JQTEXyNrorslBaTkHKDLjaY5ti--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?f9b7357e-ced1-4ce5-40d5-8e3dcad42442>