From owner-freebsd-net@FreeBSD.ORG  Tue Sep 12 03:44:49 2006
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
X-Original-To: net@freebsd.org
Delivered-To: freebsd-net@FreeBSD.ORG
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id EDFE216A407
	for <net@freebsd.org>; Tue, 12 Sep 2006 03:44:49 +0000 (UTC)
	(envelope-from eugen@kuzbass.ru)
Received: from www.svzserv.kemerovo.su (www.svzserv.kemerovo.su
	[213.184.65.80])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 31BD143D46
	for <net@freebsd.org>; Tue, 12 Sep 2006 03:44:48 +0000 (GMT)
	(envelope-from eugen@kuzbass.ru)
Received: from kuzbass.ru (kost [213.184.65.82])
	by www.svzserv.kemerovo.su (8.13.8/8.13.8) with ESMTP id k8C3ihOQ035903;
	Tue, 12 Sep 2006 11:44:43 +0800 (KRAST)
	(envelope-from eugen@kuzbass.ru)
Message-ID: <45062D2C.D5F95D6B@kuzbass.ru>
Date: Tue, 12 Sep 2006 11:44:44 +0800
From: Eugene Grosbein <eugen@kuzbass.ru>
Organization: SVZServ
X-Mailer: Mozilla 4.8 [en] (Windows NT 5.0; U)
X-Accept-Language: ru,en
MIME-Version: 1.0
To: Kelly Yancey <kbyanc@posi.net>
References: <200609111341.k8BDfneZ020221@nkz.delikates-nk.ru>
	<20060911131513.S27693@gateway.posi.net>
Content-Type: text/plain; charset=koi8-r
Content-Transfer-Encoding: 7bit
Cc: VANHULLEBUS Yvan <vanhu_bsd@zeninc.net>,
	Eugene Grosbein <eugen@grosbein.pp.ru>, net@freebsd.org
Subject: Re: ipsec with ipfw divert (not NAT) encodes a packet twice
 breaking PMTUD
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Sep 2006 03:44:50 -0000

Kelly Yancey wrote:

>   Just FYI, when we implemented the enc interface for FreeBSD 4.10 for
> one of our products at work, we encountered a similar issue.  The
> problem is that you need to add a flag to the sockaddr_in passed to the
> divert(4) consumer; when that consumer re-injects the packets into the
> network stack, ip_output() needs to check for the flag and goto
> skip_ipsec to avoid re-encapsulation.  The next issue is that
> there is no room in the sockaddr_in structure for such a flag.

Another problem with divert is described in detail here:
http://freebsd.rambler.ru/bsdmail/freebsd-net_2004/msg01736.html

In short: divert of a packet removes multicast options that it may have
and bad things happen with RIPv2 multicast packets.

Eugene