From owner-freebsd-net@freebsd.org Sat Jan 18 14:45:35 2020 Return-Path: Delivered-To: freebsd-net@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 63BD51F7E04 for ; Sat, 18 Jan 2020 14:45:35 +0000 (UTC) (envelope-from kudzu@tenebras.com) Received: from mail-qk1-x741.google.com (mail-qk1-x741.google.com [IPv6:2607:f8b0:4864:20::741]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 480LML1Zm0z42dh for ; Sat, 18 Jan 2020 14:45:33 +0000 (UTC) (envelope-from kudzu@tenebras.com) Received: by mail-qk1-x741.google.com with SMTP id 21so25784867qky.4 for ; Sat, 18 Jan 2020 06:45:33 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tenebras-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=gLWSzhIdz21RyTUWkUmZpapFME9/pfVnhzZmC3ZsVLM=; b=0zrqcxkEjGvTczi2+8uKGziTKahdS1daXzeZKOrPOswyCteUqjK+Wdl2y1FwLfzomw TaJIAoBsWLOFjy7GDnI7hZ7NwuERv8acIRG0rvaqpeeFD61crSWb+Xunu5sk+pIIGkRA wJ0Gly7K6Zs4tCdfVnFWhdu5gZHGtBUmWfgoI39FyT8RlbcasO5HePYHXywHa/PQiGQA 23lpctoLwJtFIAsvgSt3qa3+Wef1+sZb9zmKgm3W/tdr5UxRotYfFmEUCnrUU3/rvFXF w854bmaLF36DK9TD2Bl2qaGl3h3gsnxjjAlCxS17egsQcXbQA56CPzt/kNdOLSwsn/u4 acRQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=gLWSzhIdz21RyTUWkUmZpapFME9/pfVnhzZmC3ZsVLM=; b=EK3HdjM6b6gsI1bhH5hy/T98OZdRIzlXL8CmQzimF/vY9oElGfVDxGq8NT/Fvzszw5 0v8S0IfSyWiNBq/0mXsQS7koBGqygpJ1dcVDGz3KDYMTIgen4fujPqbLrc3vNjVllrlJ uByavCh0Va0NZXixL5rJw5AEd05W5nVFt5RbfUSinYn1CFpecnYMcG+vsum4pfMxd2T3 55S15arjmFBD6u2o3DfU5siUu3LalFT7ST3UPFJbhYEcWQ/KStXK8n88EqNZ3Pvu/IS7 gLsWG1/bFLoFASkT0JEC27VFHwDzXgGnI0ehRcRFQ6qjwuyG3eAAMEVAWKl1x4E3+Mpt zjcw== X-Gm-Message-State: APjAAAXulfhjohW1aZXKA5JCAhHQoGofNiHyp8GN9k52p0zwUFy7olNR FRv+Rh/ZqhSFUN5XRTA8epeHhzMn225tLDq58mrjGw== X-Google-Smtp-Source: APXvYqyaGYz1U6ymnJWp15al+QNssgaB/jxohUv3ik7BAnKR5bTKizoWZ0UX1ca8O9I1joiaK40HX3P3XgSn7I4y+LE= X-Received: by 2002:ae9:dc85:: with SMTP id q127mr43333815qkf.460.1579358732945; Sat, 18 Jan 2020 06:45:32 -0800 (PST) MIME-Version: 1.0 References: <20200116155305.GA465@admin.sibptus.ru> <55f7bafa-24c4-9810-0d21-f82cb332ee2d@grosbein.net> <20200116160745.GA1356@admin.sibptus.ru> <72355e03-1cf8-c58f-3aec-b0a21e631870@grosbein.net> <20200117093645.GA51899@admin.sibptus.ru> <70b0b855-189b-03c2-0712-fc1e35640702@grosbein.net> <20200117150928.GB66677@admin.sibptus.ru> <16550199-67b9-d331-0c1e-4afa0e8b361c@grosbein.net> <20200118105524.GA10042@admin.sibptus.ru> In-Reply-To: From: Michael Sierchio Date: Sat, 18 Jan 2020 06:44:56 -0800 Message-ID: Subject: Re: IPSec transport mode, mtu, fragmentation... To: Eugene Grosbein Cc: Victor Sudakov , "freebsd-net@freebsd.org" , "Andrey V. Elsukov" , Michael Tuexen X-Rspamd-Queue-Id: 480LML1Zm0z42dh X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=tenebras-com.20150623.gappssmtp.com header.s=20150623 header.b=0zrqcxkE; dmarc=none; spf=none (mx1.freebsd.org: domain of kudzu@tenebras.com has no SPF policy when checking 2607:f8b0:4864:20::741) smtp.mailfrom=kudzu@tenebras.com X-Spamd-Result: default: False [-2.70 / 15.00]; ARC_NA(0.00)[]; TO_DN_EQ_ADDR_SOME(0.00)[]; R_DKIM_ALLOW(-0.20)[tenebras-com.20150623.gappssmtp.com:s=20150623]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-net@freebsd.org]; DMARC_NA(0.00)[tenebras.com]; RCPT_COUNT_FIVE(0.00)[5]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DKIM_TRACE(0.00)[tenebras-com.20150623.gappssmtp.com:+]; RCVD_IN_DNSWL_NONE(0.00)[1.4.7.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.b.8.f.7.0.6.2.list.dnswl.org : 127.0.5.0]; R_SPF_NA(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; IP_SCORE(-0.40)[ip: (1.94), ipnet: 2607:f8b0::/32(-2.08), asn: 15169(-1.83), country: US(-0.05)]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[] Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 18 Jan 2020 14:45:35 -0000 [apologies for top-posting] What is the result of > sysctl net.enc ? This might be a clue about the packets, which you could be seeing twice. On Sat, Jan 18, 2020 at 3:17 AM Eugene Grosbein wrote: > 18.01.2020 17:55, Victor Sudakov wrote: > > >>>>> Back to the point. I've figured out that both encrypted (in transpo= rt > >>>>> mode) and unencrypted TCP segments have the same MSS=3D1460. Then I= 'm > >>>>> completely at a loss how the encrypted packets avoid being > fragmented. > >>>>> TCP has no way to know in advance that encryption overhead will be > >>>>> added. > > > > Here: http://admin.sibptus.ru/~vas/ftp-pcap.tar.gz you can find two > > identical FTP sessions, the only difference being ipsec=3Doff during on= e > > session and ipsec=3Don during the other one. > > > > As I said, in both the sessions MSS=3D1460 which is already odd, and I > > can't explain to myself why file transfer still works without MSS > > ajustment. > > > > Moreover, something fishy is happening in the encrypted session: there > > are many TCP retransmissions (I was capturing on the FTP server's side, > > so there are many segments with the same sequence number). How would yo= u > > explain this? There are almost no retransmissions in the unencrypted > session. > > > > All this is happening in a lab environment (one bhyve VM is an FTP > > server and the other downloads a file from the first), both VMs are on > > the same bridge interface. There are almost 19,000 packets in the > > encrypted file vs 12,000 in the plain file, I think because of those > > excessive retransmissions. > > > > Could the retransmissions be some artifact of the enc(4) interface I wa= s > > capturing the encrypted session on? > > I doubt it. And I can't explain this, but maybe it's work of PMTUD > Blackhole detection? > Look at sysctl net.inet.tcp | fgrep blackhole_ > > _______________________________________________ > freebsd-net@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" > --=20 "Well," Brahm=C4=81 said, "even after ten thousand explanations, a fool is = no wiser, but an intelligent person requires only two thousand five hundred." - The Mah=C4=81bh=C4=81rata