Date: Mon, 23 Dec 2019 18:08:16 +0700 From: Eugene Grosbein <eugen@grosbein.net> To: "Andrey V. Elsukov" <bu7cher@yandex.ru>, Victor Sudakov <vas@sibptus.ru> Cc: freebsd-net@freebsd.org, Michael Tuexen <tuexen@freebsd.org> Subject: Re: IPSec transport mode, mtu, fragmentation... Message-ID: <e9bbf019-f126-8e5b-87ac-698c04406278@grosbein.net> In-Reply-To: <bbaa6ae8-e1f6-1aaf-9291-7dbfc7b9b419@yandex.ru> References: <20191220152314.GA55278@admin.sibptus.ru> <f38d1f3c-dc47-0776-29f9-2151b05e09b0@tuxpowered.net> <20191220160357.GB56081@admin.sibptus.ru> <20191220162233.GA56815@admin.sibptus.ru> <55eeca4c-9633-339a-f521-b0db462cc1d6@yandex.ru> <20191223100655.GA41651@admin.sibptus.ru> <3edbc7ad-a760-48c7-3222-202d7a835fe5@yandex.ru> <35fd51d5-c171-c97c-5bb2-529912d75844@grosbein.net> <bbaa6ae8-e1f6-1aaf-9291-7dbfc7b9b419@yandex.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
23.12.2019 18:00, Andrey V. Elsukov wrote: > On 23.12.2019 13:55, Eugene Grosbein wrote: >>> I think the real problem is that PMTUD doesn't work correctly with >>> IPsec. Linux has special sysctl variabl ip_no_pmtu_disc and flag >>> SADB_SAFLAGS_NOPMTUDISC for SA that can disable PMTUD for IPv4 and IP_DF >>> flag will not be set. We can add some similar quirks, but it would be >>> better to fix PMTUD. We already have hundreds sysctl in our system and >>> remembering all them is a problem too. >> >> It's true that PMTUD does not work with IPSec transport mode. >> >> I think we could just clear DF bit off encapsulated transport mode packets unconditionally, >> please take a look at last chunk of sample patch in the PR 242744: >> https://bz-attachments.freebsd.org/attachment.cgi?id=210122 >> >> Sample patch creates another sysctl but we should do it unconditionally, don't we? > > As I said I didn't find that other OSes do this. Linux has enabled by > PMTUD by default, strongswan doesn't set SADB_SAFLAGS_NOPMTUDISC flag, > OpenBSD hasn't such quirk. Why should we add this instead of try to fix > PMTUD? RFC 2401 Appendix B https://tools.ietf.org/html/rfc2401#page-1-48 states that packets generated by IPSec transport mode must be "fragmentable" over the path and this is incompatible with DF=1.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?e9bbf019-f126-8e5b-87ac-698c04406278>