Date: Mon, 23 Dec 2019 14:28:18 +0300 From: "Andrey V. Elsukov" <bu7cher@yandex.ru> To: Eugene Grosbein <eugen@grosbein.net>, Victor Sudakov <vas@sibptus.ru> Cc: freebsd-net@freebsd.org, Michael Tuexen <tuexen@freebsd.org> Subject: Re: IPSec transport mode, mtu, fragmentation... Message-ID: <5793a8ad-bf37-f2f2-29d8-29497d782651@yandex.ru> In-Reply-To: <e9bbf019-f126-8e5b-87ac-698c04406278@grosbein.net> References: <20191220152314.GA55278@admin.sibptus.ru> <f38d1f3c-dc47-0776-29f9-2151b05e09b0@tuxpowered.net> <20191220160357.GB56081@admin.sibptus.ru> <20191220162233.GA56815@admin.sibptus.ru> <55eeca4c-9633-339a-f521-b0db462cc1d6@yandex.ru> <20191223100655.GA41651@admin.sibptus.ru> <3edbc7ad-a760-48c7-3222-202d7a835fe5@yandex.ru> <35fd51d5-c171-c97c-5bb2-529912d75844@grosbein.net> <bbaa6ae8-e1f6-1aaf-9291-7dbfc7b9b419@yandex.ru> <e9bbf019-f126-8e5b-87ac-698c04406278@grosbein.net>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --BEnHe38VRz5HNzzA6cCprobamzcnlgn5y Content-Type: multipart/mixed; boundary="7iawAjGC5uwbU4rYCyLICy3OgMyxe9W0Y"; protected-headers="v1" From: "Andrey V. Elsukov" <bu7cher@yandex.ru> To: Eugene Grosbein <eugen@grosbein.net>, Victor Sudakov <vas@sibptus.ru> Cc: freebsd-net@freebsd.org, Michael Tuexen <tuexen@freebsd.org> Message-ID: <5793a8ad-bf37-f2f2-29d8-29497d782651@yandex.ru> Subject: Re: IPSec transport mode, mtu, fragmentation... References: <20191220152314.GA55278@admin.sibptus.ru> <f38d1f3c-dc47-0776-29f9-2151b05e09b0@tuxpowered.net> <20191220160357.GB56081@admin.sibptus.ru> <20191220162233.GA56815@admin.sibptus.ru> <55eeca4c-9633-339a-f521-b0db462cc1d6@yandex.ru> <20191223100655.GA41651@admin.sibptus.ru> <3edbc7ad-a760-48c7-3222-202d7a835fe5@yandex.ru> <35fd51d5-c171-c97c-5bb2-529912d75844@grosbein.net> <bbaa6ae8-e1f6-1aaf-9291-7dbfc7b9b419@yandex.ru> <e9bbf019-f126-8e5b-87ac-698c04406278@grosbein.net> In-Reply-To: <e9bbf019-f126-8e5b-87ac-698c04406278@grosbein.net> --7iawAjGC5uwbU4rYCyLICy3OgMyxe9W0Y Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 23.12.2019 14:08, Eugene Grosbein wrote: >>> Sample patch creates another sysctl but we should do it unconditional= ly, don't we? >> >> As I said I didn't find that other OSes do this. Linux has enabled by >> PMTUD by default, strongswan doesn't set SADB_SAFLAGS_NOPMTUDISC flag,= >> OpenBSD hasn't such quirk. Why should we add this instead of try to fi= x >> PMTUD? >=20 > RFC 2401 Appendix B https://tools.ietf.org/html/rfc2401#page-1-48 state= s > that packets generated by IPSec transport mode must be "fragmentable" o= ver the path > and this is incompatible with DF=3D1. I don't see such requirements here, I think you read this somewhere between lines :-) "If required, IP fragmentation occurs after IPsec processing within an IPsec implementation. Thus, transport mode AH or ESP is applied only to whole IP datagrams (not to IP fragments)." This is exactly how it works now. IPsec does encryption and passes ESP packet to IP stack, then it can be fragmented if it is allowed (i.e. no DF bit set). "An IP packet to which AH or ESP has been applied may itself be fragmented by routers en route, and such fragments MUST be reassembled prior to IPsec processing at a receiver." If fragmentation was allowed at previous step, the receiver will have several fragments that will be reassembled into single ESP packet, and then it will be decrypted and passed to IP stack. I.e. IPsec will not try to decrypt each fragment before reassembly. --=20 WBR, Andrey V. Elsukov --7iawAjGC5uwbU4rYCyLICy3OgMyxe9W0Y-- --BEnHe38VRz5HNzzA6cCprobamzcnlgn5y Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQEzBAEBCAAdFiEE5lkeG0HaFRbwybwAAcXqBBDIoXoFAl4ApNIACgkQAcXqBBDI oXqdfAgAurCgU4sjl/SETzuOtTmFA2IUM4usF949qtzikSMSmNqsF3qAIERbxgBH Pr+9eG2AnKR7FKEDP4J8DWl9AtAmHaB9GbUYL/rhk3XJD0xRxZVyZawtL4uSSAqm Zlx8A5lI47OYUgFT/8/9qQiM346GulyiUlOQKpZGAr5qJaI7zjEx7ZiFodJHb4zM gH55edOdH4iBfrAZZYGWlku9W0khhns1EUK75O5eDV6dWyQ+qYObb5abwoBbtN2o XoUzNyrGjThL+FPJKHyekr3q6yVcHVfBjQPnZniRiRd+UYpEbNVbwkxTON9tr36h gCPboiMvNyKJtl6U9EpSlcDPo0dlWg== =2yWo -----END PGP SIGNATURE----- --BEnHe38VRz5HNzzA6cCprobamzcnlgn5y--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5793a8ad-bf37-f2f2-29d8-29497d782651>