Date: Mon, 23 Dec 2019 17:55:22 +0700 From: Eugene Grosbein <eugen@grosbein.net> To: "Andrey V. Elsukov" <bu7cher@yandex.ru>, Victor Sudakov <vas@sibptus.ru> Cc: freebsd-net@freebsd.org, Michael Tuexen <tuexen@freebsd.org> Subject: Re: IPSec transport mode, mtu, fragmentation... Message-ID: <35fd51d5-c171-c97c-5bb2-529912d75844@grosbein.net> In-Reply-To: <3edbc7ad-a760-48c7-3222-202d7a835fe5@yandex.ru> References: <20191220152314.GA55278@admin.sibptus.ru> <f38d1f3c-dc47-0776-29f9-2151b05e09b0@tuxpowered.net> <20191220160357.GB56081@admin.sibptus.ru> <20191220162233.GA56815@admin.sibptus.ru> <55eeca4c-9633-339a-f521-b0db462cc1d6@yandex.ru> <20191223100655.GA41651@admin.sibptus.ru> <3edbc7ad-a760-48c7-3222-202d7a835fe5@yandex.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
23.12.2019 17:45, Andrey V. Elsukov wrote: > On 23.12.2019 13:06, Victor Sudakov wrote: >>> ESP xform for transport mode just replaces protocol in IP header and >>> adds some info to the end of a packet. >> >> It is rather easy to verify your theory. If you are right, then >> disabling net.inet.tcp.path_mtu_discovery globally should remove the DF >> flags from the ESP packets too, right? >> >> Of course, net.inet.tcp.path_mtu_discovery=0 is not a solution, it's just >> a way to check the origin of the DF flag. >> >> And if you are right, what does it mean to us? Did you see >> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=242744 already ? >> >> My ultimate wish is to make transport mode work out of the box, without >> any workarounds like additional host routes or firewall rules. > > I think the real problem is that PMTUD doesn't work correctly with > IPsec. Linux has special sysctl variabl ip_no_pmtu_disc and flag > SADB_SAFLAGS_NOPMTUDISC for SA that can disable PMTUD for IPv4 and IP_DF > flag will not be set. We can add some similar quirks, but it would be > better to fix PMTUD. We already have hundreds sysctl in our system and > remembering all them is a problem too. It's true that PMTUD does not work with IPSec transport mode. I think we could just clear DF bit off encapsulated transport mode packets unconditionally, please take a look at last chunk of sample patch in the PR 242744: https://bz-attachments.freebsd.org/attachment.cgi?id=210122 Sample patch creates another sysctl but we should do it unconditionally, don't we?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?35fd51d5-c171-c97c-5bb2-529912d75844>