Date: Fri, 17 Jan 2020 11:30:21 +0100 From: Michael Tuexen <tuexen@freebsd.org> To: "Andrey V. Elsukov" <bu7cher@yandex.ru> Cc: Victor Sudakov <vas@sibptus.ru>, Eugene Grosbein <eugen@grosbein.net>, freebsd-net@freebsd.org Subject: Re: IPSec transport mode, mtu, fragmentation... Message-ID: <E5D04759-8D47-4EC2-AC3F-F71EA4E58AD0@freebsd.org> In-Reply-To: <7c153a5a-db38-2770-89c7-9f95f59d29de@yandex.ru> References: <20191220152314.GA55278@admin.sibptus.ru> <4cc83b85-dd30-8c0d-330e-aa549ce98c98@yandex.ru> <f9b7357e-ced1-4ce5-40d5-8e3dcad42442@yandex.ru> <d263a709-63cf-7da5-1747-8a6791f6503f@grosbein.net> <20200116155305.GA465@admin.sibptus.ru> <55f7bafa-24c4-9810-0d21-f82cb332ee2d@grosbein.net> <20200116160745.GA1356@admin.sibptus.ru> <72355e03-1cf8-c58f-3aec-b0a21e631870@grosbein.net> <20200117093645.GA51899@admin.sibptus.ru> <7c153a5a-db38-2770-89c7-9f95f59d29de@yandex.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
> On 17. Jan 2020, at 10:49, Andrey V. Elsukov <bu7cher@yandex.ru> wrote: > > On 17.01.2020 12:36, Victor Sudakov wrote: >> Back to the point. I've figured out that both encrypted (in transport >> mode) and unencrypted TCP segments have the same MSS=1460. Then I'm >> completely at a loss how the encrypted packets avoid being fragmented. >> TCP has no way to know in advance that encryption overhead will be >> added. > > For IPsec endpoints (i.e. when you encrypt own sessions) TCP for each > outgoing packet invokes IPSEC_HDRSIZE() method, that returns approximate > size required for IPsec, and using this information it calculates MSS. I > think this should work in this way. Can't you then use that also when the MSS is computed to be sent out in the MSS option? That would avoid using ICMP. Best regards Michael > > -- > WBR, Andrey V. Elsukov >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E5D04759-8D47-4EC2-AC3F-F71EA4E58AD0>