From owner-freebsd-net@freebsd.org Mon Dec 23 10:47:36 2019 Return-Path: Delivered-To: freebsd-net@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 5E9B61EC1E0 for ; Mon, 23 Dec 2019 10:47:36 +0000 (UTC) (envelope-from bu7cher@yandex.ru) Received: from forward100p.mail.yandex.net (forward100p.mail.yandex.net [77.88.28.100]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 47hGJk5tfWz4VD8; Mon, 23 Dec 2019 10:47:34 +0000 (UTC) (envelope-from bu7cher@yandex.ru) Received: from mxback7o.mail.yandex.net (mxback7o.mail.yandex.net [IPv6:2a02:6b8:0:1a2d::21]) by forward100p.mail.yandex.net (Yandex) with ESMTP id 032F1598122C; Mon, 23 Dec 2019 13:47:31 +0300 (MSK) Received: from sas1-5ebd8269dbc4.qloud-c.yandex.net (sas1-5ebd8269dbc4.qloud-c.yandex.net [2a02:6b8:c14:3611:0:640:5ebd:8269]) by mxback7o.mail.yandex.net (mxback/Yandex) with ESMTP id k1H6H00fii-lUI0Mnx2; Mon, 23 Dec 2019 13:47:30 +0300 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1577098050; bh=HsdSe59U530vw6FP46bEHbB+KENGRQhbC1LWZc+Rlck=; h=In-Reply-To:From:To:Subject:Cc:Date:References:Message-ID; b=njBdeSWvgT4dWssKluOqnQFh/vMspCsMgjEuoOAe3DYgeb85Pcan4loSrGflf/uG2 ZyITYZurkNK5GmiOGQdCHD/yPnVpH6hVqCraaD31EFvTiRfof2ImKvAX83hnGXitEv vBbO9hoaI74AnCnbNl4HZalXyYpjRS9ehQ4bg2Ts= Received: by sas1-5ebd8269dbc4.qloud-c.yandex.net (smtp/Yandex) with ESMTPSA id nglXsJCZfT-lUWmNvOj; Mon, 23 Dec 2019 13:47:30 +0300 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) (Client certificate not present) Subject: Re: IPSec transport mode, mtu, fragmentation... To: Victor Sudakov Cc: freebsd-net@freebsd.org, Michael Tuexen References: <20191220152314.GA55278@admin.sibptus.ru> <20191220160357.GB56081@admin.sibptus.ru> <20191220162233.GA56815@admin.sibptus.ru> <55eeca4c-9633-339a-f521-b0db462cc1d6@yandex.ru> <20191223100655.GA41651@admin.sibptus.ru> From: "Andrey V. Elsukov" Openpgp: id=E6591E1B41DA1516F0C9BC0001C5EA0410C8A17A Autocrypt: addr=bu7cher@yandex.ru; prefer-encrypt=mutual; keydata= mQENBEwBF1kBCADB9sXFhBEUy8qQ4X63Y8eBatYMHGEFWN9ypS5lI3RE6qQW2EYbxNk7qUC5 21YIIS1mMFVBEfvR7J9uc7yaYgFCEb6Sce1RSO4ULN2mRKGHP3/Sl0ijZEjWHV91hY1YTHEF ZW/0GYinDf56sYpDDehaBF5wkWIo1+QK5nmj3vl0DIDCMNd7QEiWpyLVwECgLX2eOAXByT8B bCqVhJGcG6iFP7/B9Ll6uX5gb8thM9LM+ibwErDBVDGiOgvfxqidab7fdkh893IBCXa82H9N CNwnEtcgzh+BSKK5BgvPohFMgRwjti37TSxwLu63QejRGbZWSz3OK3jMOoF63tCgn7FvABEB AAG0JUFuZHJleSBWLiBFbHN1a292IDxidTdjaGVyQHlhbmRleC5ydT6JATgEEwECACIFAkwB F1kCGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEAHF6gQQyKF6qmYIAI6ekfm1VA4T vqankI1ISE6ku4jV7UlpIQlEbE7/8n3Zd6teJ+pGOQhN5qk8QE7utdPdbktAzi+x7LIJVzUw 4TywZLXGrkP7VKYkfg6oyCGyzITghefQeJtr2TN4hYCkzPWpylkue8MtmqfZv/6royqwTbN+ +E09FQNvTgRUYJYTeQ1qOsxNRycwvw3dr2rOfuxShbzaHBB1pBIjGrMg8fC5pd65ACH5zuFV A0CoTNGMDrEZSfBkTW604UUHFFXeCoC3dwDZRKOWJ3GmMXns65Ai5YkA63BSHEE1Qle3VBhd cG1w0CB5FBV3pB27UVnf0jEbysrDqW4qN7XMRFSWNAy5AQ0ETAEXWQEIAJ2p6l9LBoqdH/0J PEFDY2t2gTvAuzz+8zs3R03dFuHcNbOwjvWCG0aOmVpAzkRa8egn5JB4sZaFUtKPYJEQ1Iu+ LUBwgvtXf4vWpzC67zs2dDuiW4LamH5p6xkTD61aHR7mCB3bg2TUjrDWn2Jt44cvoYxj3dz4 S49U1rc9ZPgD5axCNv45j72tggWlZvpefThP7xT1OlNTUqye2gAwQravXpZkl5JG4eOqJVIU X316iE3qso0iXRUtO7OseBf0PiVmk+wCahdreHOeOxK5jMhYkPKVn7z1sZiB7W2H2TojbmcK HZC22sz7Z/H36Lhg1+/RCnGzdEcjGc8oFHXHCxUAEQEAAYkBHwQYAQIACQUCTAEXWQIbDAAK CRABxeoEEMihegkYCAC3ivGYNe2taNm/4Nx5GPdzuaAJGKWksV+w9mo7dQvU+NmI2az5w8vw 98OmX7G0OV9snxMW+6cyNqBrVFTu33VVNzz9pnqNCHxGvj5dL5ltP160JV2zw2bUwJBYsgYQ WfyJJIM7l3gv5ZS3DGqaGIm9gOK1ANxfrR5PgPzvI9VxDhlr2juEVMZYAqPLEJe+SSxbwLoz BcFCNdDAyXcaAzXsx/E02YWm1hIWNRxanAe7Vlg7OL+gvLpdtrYCMg28PNqKNyrQ87LQ49O9 50IIZDOtNFeR0FGucjcLPdS9PiEqCoH7/waJxWp6ydJ+g4OYRBYNM0EmMgy1N85JJrV1mi5i Message-ID: <3edbc7ad-a760-48c7-3222-202d7a835fe5@yandex.ru> Date: Mon, 23 Dec 2019 13:45:54 +0300 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:60.0) Gecko/20100101 Thunderbird/60.8.0 MIME-Version: 1.0 In-Reply-To: <20191223100655.GA41651@admin.sibptus.ru> Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="vB3DVENdtGX0RyZxIniKZqEz8ABXtOwnL" X-Rspamd-Queue-Id: 47hGJk5tfWz4VD8 X-Spamd-Bar: ------ Authentication-Results: mx1.freebsd.org; dkim=pass header.d=yandex.ru header.s=mail header.b=njBdeSWv; dmarc=pass (policy=none) header.from=yandex.ru; spf=pass (mx1.freebsd.org: domain of bu7cher@yandex.ru designates 77.88.28.100 as permitted sender) smtp.mailfrom=bu7cher@yandex.ru X-Spamd-Result: default: False [-6.20 / 15.00]; TO_DN_SOME(0.00)[]; FREEMAIL_FROM(0.00)[yandex.ru]; R_SPF_ALLOW(-0.20)[+ip4:77.88.0.0/18]; HAS_ATTACHMENT(0.00)[]; RCVD_COUNT_THREE(0.00)[3]; DKIM_TRACE(0.00)[yandex.ru:+]; DMARC_POLICY_ALLOW(-0.50)[yandex.ru,none]; SIGNED_PGP(-2.00)[]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:+,3:~]; RCVD_TLS_LAST(0.00)[]; RCVD_IN_DNSWL_LOW(-0.10)[100.28.88.77.list.dnswl.org : 127.0.5.1]; ASN(0.00)[asn:13238, ipnet:77.88.0.0/18, country:RU]; MID_RHS_MATCH_FROM(0.00)[]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[yandex.ru:s=mail]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.20)[multipart/signed,multipart/mixed,text/plain]; IP_SCORE(0.00)[ipnet: 77.88.0.0/18(-4.78), asn: 13238(-3.79), country: RU(0.01)]; FREEMAIL_ENVFROM(0.00)[yandex.ru]; IP_SCORE_FREEMAIL(0.00)[]; DWL_DNSWL_LOW(-1.00)[yandex.ru.dwl.dnswl.org : 127.0.5.1]; TO_MATCH_ENVRCPT_SOME(0.00)[] X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Dec 2019 10:47:36 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --vB3DVENdtGX0RyZxIniKZqEz8ABXtOwnL Content-Type: multipart/mixed; boundary="twKPYtdNEZrAzN9RFIOq1SQGc0c2QckI4"; protected-headers="v1" From: "Andrey V. Elsukov" To: Victor Sudakov Cc: freebsd-net@freebsd.org, Michael Tuexen Message-ID: <3edbc7ad-a760-48c7-3222-202d7a835fe5@yandex.ru> Subject: Re: IPSec transport mode, mtu, fragmentation... References: <20191220152314.GA55278@admin.sibptus.ru> <20191220160357.GB56081@admin.sibptus.ru> <20191220162233.GA56815@admin.sibptus.ru> <55eeca4c-9633-339a-f521-b0db462cc1d6@yandex.ru> <20191223100655.GA41651@admin.sibptus.ru> In-Reply-To: <20191223100655.GA41651@admin.sibptus.ru> --twKPYtdNEZrAzN9RFIOq1SQGc0c2QckI4 Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 23.12.2019 13:06, Victor Sudakov wrote: >> ESP xform for transport mode just replaces protocol in IP header and >> adds some info to the end of a packet. >=20 > It is rather easy to verify your theory. If you are right, then > disabling net.inet.tcp.path_mtu_discovery globally should remove the DF= > flags from the ESP packets too, right? >=20 > Of course, net.inet.tcp.path_mtu_discovery=3D0 is not a solution, it's = just > a way to check the origin of the DF flag. >=20 > And if you are right, what does it mean to us? Did you see > https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D242744 already ? >=20 > My ultimate wish is to make transport mode work out of the box, without= > any workarounds like additional host routes or firewall rules. I think the real problem is that PMTUD doesn't work correctly with IPsec. Linux has special sysctl variabl ip_no_pmtu_disc and flag SADB_SAFLAGS_NOPMTUDISC for SA that can disable PMTUD for IPv4 and IP_DF flag will not be set. We can add some similar quirks, but it would be better to fix PMTUD. We already have hundreds sysctl in our system and remembering all them is a problem too. --=20 WBR, Andrey V. Elsukov --twKPYtdNEZrAzN9RFIOq1SQGc0c2QckI4-- --vB3DVENdtGX0RyZxIniKZqEz8ABXtOwnL Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQEzBAEBCAAdFiEE5lkeG0HaFRbwybwAAcXqBBDIoXoFAl4AmuIACgkQAcXqBBDI oXqDJQgAniobFwJiQ4k7VKwX0hVcjsaBmtM2b9b0lvzCCzZ2QW3Y6UGGmjCFoyWB pq1f+4iykGmSkMpVwkP5PTpzjqLw7R2Lqs3zHmPEG7gGOgbZ0PUGHkBuBKD9AC88 FAF863H3DqghTBqcjaXsEiQfUYIrhyXlnCjIHhVHgjtpIqJ2kd84ma+El5c+HZrN UcINPcSKmY7mEfC78uwsz5XH7g7qA7LkA39fLXT6gGP23VSKQpIO/w3IA5Vm+bOF 5YQEZUAz+ux9bqesmqNmQ9wqyRR6L+BjOq1HKbyilE8vhD2JA4vXIcSkLtknbbzn yaR8zy4VmC81fhft2NWtJzaKB1x7Wg== =zzD1 -----END PGP SIGNATURE----- --vB3DVENdtGX0RyZxIniKZqEz8ABXtOwnL--