From owner-freebsd-net@freebsd.org Mon Dec 23 11:29:59 2019 Return-Path: Delivered-To: freebsd-net@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 332151ED0B8 for ; Mon, 23 Dec 2019 11:29:59 +0000 (UTC) (envelope-from bu7cher@yandex.ru) Received: from forward101p.mail.yandex.net (forward101p.mail.yandex.net [IPv6:2a02:6b8:0:1472:2741:0:8b7:101]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 47hHFd6mdmz4X8Q; Mon, 23 Dec 2019 11:29:57 +0000 (UTC) (envelope-from bu7cher@yandex.ru) Received: from forward101q.mail.yandex.net (forward101q.mail.yandex.net [IPv6:2a02:6b8:c0e:4b:0:640:4012:bb98]) by forward101p.mail.yandex.net (Yandex) with ESMTP id 7AE873280E8F; Mon, 23 Dec 2019 14:29:54 +0300 (MSK) Received: from mxback1q.mail.yandex.net (mxback1q.mail.yandex.net [IPv6:2a02:6b8:c0e:39:0:640:25b3:aea5]) by forward101q.mail.yandex.net (Yandex) with ESMTP id 78674CF40019; Mon, 23 Dec 2019 14:29:54 +0300 (MSK) Received: from vla5-445dc1c4c112.qloud-c.yandex.net (vla5-445dc1c4c112.qloud-c.yandex.net [2a02:6b8:c18:3609:0:640:445d:c1c4]) by mxback1q.mail.yandex.net (mxback/Yandex) with ESMTP id fZuSZMqCRP-TsvK4FKf; Mon, 23 Dec 2019 14:29:54 +0300 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1577100594; bh=hDxsZ9WwlBd7l5lPAzMk/VphlduIA98NuaIwGkUU3tw=; h=In-Reply-To:From:To:Subject:Cc:Date:References:Message-ID; b=NIGd06bEGNmJQA0BRP9EerICVBv9c2wNcw7JGPIHcUo//O+o503FQQCu1exoQPGnj zuKhnyzsQMHPug4alKI9q7uycP+/IW33vflpuOc5A4QGd52Mlt7xScpcGVoZEN4mzl FlVchm+UuWWGvo0li8tmJJMfnsdNUtGUslWXCCNI= Received: by vla5-445dc1c4c112.qloud-c.yandex.net (smtp/Yandex) with ESMTPSA id jALc6RaGtC-TrUGTaxa; Mon, 23 Dec 2019 14:29:53 +0300 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) (Client certificate not present) Subject: Re: IPSec transport mode, mtu, fragmentation... To: Eugene Grosbein , Victor Sudakov Cc: freebsd-net@freebsd.org, Michael Tuexen References: <20191220152314.GA55278@admin.sibptus.ru> <20191220160357.GB56081@admin.sibptus.ru> <20191220162233.GA56815@admin.sibptus.ru> <55eeca4c-9633-339a-f521-b0db462cc1d6@yandex.ru> <20191223100655.GA41651@admin.sibptus.ru> <3edbc7ad-a760-48c7-3222-202d7a835fe5@yandex.ru> <35fd51d5-c171-c97c-5bb2-529912d75844@grosbein.net> From: "Andrey V. Elsukov" Openpgp: id=E6591E1B41DA1516F0C9BC0001C5EA0410C8A17A Autocrypt: addr=bu7cher@yandex.ru; prefer-encrypt=mutual; keydata= mQENBEwBF1kBCADB9sXFhBEUy8qQ4X63Y8eBatYMHGEFWN9ypS5lI3RE6qQW2EYbxNk7qUC5 21YIIS1mMFVBEfvR7J9uc7yaYgFCEb6Sce1RSO4ULN2mRKGHP3/Sl0ijZEjWHV91hY1YTHEF ZW/0GYinDf56sYpDDehaBF5wkWIo1+QK5nmj3vl0DIDCMNd7QEiWpyLVwECgLX2eOAXByT8B bCqVhJGcG6iFP7/B9Ll6uX5gb8thM9LM+ibwErDBVDGiOgvfxqidab7fdkh893IBCXa82H9N CNwnEtcgzh+BSKK5BgvPohFMgRwjti37TSxwLu63QejRGbZWSz3OK3jMOoF63tCgn7FvABEB AAG0JUFuZHJleSBWLiBFbHN1a292IDxidTdjaGVyQHlhbmRleC5ydT6JATgEEwECACIFAkwB F1kCGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEAHF6gQQyKF6qmYIAI6ekfm1VA4T vqankI1ISE6ku4jV7UlpIQlEbE7/8n3Zd6teJ+pGOQhN5qk8QE7utdPdbktAzi+x7LIJVzUw 4TywZLXGrkP7VKYkfg6oyCGyzITghefQeJtr2TN4hYCkzPWpylkue8MtmqfZv/6royqwTbN+ +E09FQNvTgRUYJYTeQ1qOsxNRycwvw3dr2rOfuxShbzaHBB1pBIjGrMg8fC5pd65ACH5zuFV A0CoTNGMDrEZSfBkTW604UUHFFXeCoC3dwDZRKOWJ3GmMXns65Ai5YkA63BSHEE1Qle3VBhd cG1w0CB5FBV3pB27UVnf0jEbysrDqW4qN7XMRFSWNAy5AQ0ETAEXWQEIAJ2p6l9LBoqdH/0J PEFDY2t2gTvAuzz+8zs3R03dFuHcNbOwjvWCG0aOmVpAzkRa8egn5JB4sZaFUtKPYJEQ1Iu+ LUBwgvtXf4vWpzC67zs2dDuiW4LamH5p6xkTD61aHR7mCB3bg2TUjrDWn2Jt44cvoYxj3dz4 S49U1rc9ZPgD5axCNv45j72tggWlZvpefThP7xT1OlNTUqye2gAwQravXpZkl5JG4eOqJVIU X316iE3qso0iXRUtO7OseBf0PiVmk+wCahdreHOeOxK5jMhYkPKVn7z1sZiB7W2H2TojbmcK HZC22sz7Z/H36Lhg1+/RCnGzdEcjGc8oFHXHCxUAEQEAAYkBHwQYAQIACQUCTAEXWQIbDAAK CRABxeoEEMihegkYCAC3ivGYNe2taNm/4Nx5GPdzuaAJGKWksV+w9mo7dQvU+NmI2az5w8vw 98OmX7G0OV9snxMW+6cyNqBrVFTu33VVNzz9pnqNCHxGvj5dL5ltP160JV2zw2bUwJBYsgYQ WfyJJIM7l3gv5ZS3DGqaGIm9gOK1ANxfrR5PgPzvI9VxDhlr2juEVMZYAqPLEJe+SSxbwLoz BcFCNdDAyXcaAzXsx/E02YWm1hIWNRxanAe7Vlg7OL+gvLpdtrYCMg28PNqKNyrQ87LQ49O9 50IIZDOtNFeR0FGucjcLPdS9PiEqCoH7/waJxWp6ydJ+g4OYRBYNM0EmMgy1N85JJrV1mi5i Message-ID: <5793a8ad-bf37-f2f2-29d8-29497d782651@yandex.ru> Date: Mon, 23 Dec 2019 14:28:18 +0300 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:60.0) Gecko/20100101 Thunderbird/60.8.0 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="BEnHe38VRz5HNzzA6cCprobamzcnlgn5y" X-Rspamd-Queue-Id: 47hHFd6mdmz4X8Q X-Spamd-Bar: ------ Authentication-Results: mx1.freebsd.org; dkim=pass header.d=yandex.ru header.s=mail header.b=NIGd06bE; dmarc=pass (policy=none) header.from=yandex.ru; spf=pass (mx1.freebsd.org: domain of bu7cher@yandex.ru designates 2a02:6b8:0:1472:2741:0:8b7:101 as permitted sender) smtp.mailfrom=bu7cher@yandex.ru X-Spamd-Result: default: False [-6.20 / 15.00]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2a02:6b8:0:1000::/52]; FREEMAIL_FROM(0.00)[yandex.ru]; HAS_ATTACHMENT(0.00)[]; RCVD_COUNT_THREE(0.00)[4]; DKIM_TRACE(0.00)[yandex.ru:+]; DMARC_POLICY_ALLOW(-0.50)[yandex.ru,none]; SIGNED_PGP(-2.00)[]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:+,3:~]; RCVD_TLS_LAST(0.00)[]; RCVD_IN_DNSWL_LOW(-0.10)[1.0.1.0.7.b.8.0.0.0.0.0.1.4.7.2.2.7.4.1.0.0.0.0.8.b.6.0.2.0.a.2.list.dnswl.org : 127.0.5.1]; ASN(0.00)[asn:13238, ipnet:2a02:6b8::/32, country:RU]; MID_RHS_MATCH_FROM(0.00)[]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[yandex.ru:s=mail]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[4]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.20)[multipart/signed,multipart/mixed,text/plain]; IP_SCORE(0.00)[ip: (-9.47), ipnet: 2a02:6b8::/32(-4.71), asn: 13238(-3.80), country: RU(0.01)]; FREEMAIL_ENVFROM(0.00)[yandex.ru]; IP_SCORE_FREEMAIL(0.00)[]; DWL_DNSWL_LOW(-1.00)[yandex.ru.dwl.dnswl.org : 127.0.5.1]; TO_MATCH_ENVRCPT_SOME(0.00)[] X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Dec 2019 11:29:59 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --BEnHe38VRz5HNzzA6cCprobamzcnlgn5y Content-Type: multipart/mixed; boundary="7iawAjGC5uwbU4rYCyLICy3OgMyxe9W0Y"; protected-headers="v1" From: "Andrey V. Elsukov" To: Eugene Grosbein , Victor Sudakov Cc: freebsd-net@freebsd.org, Michael Tuexen Message-ID: <5793a8ad-bf37-f2f2-29d8-29497d782651@yandex.ru> Subject: Re: IPSec transport mode, mtu, fragmentation... References: <20191220152314.GA55278@admin.sibptus.ru> <20191220160357.GB56081@admin.sibptus.ru> <20191220162233.GA56815@admin.sibptus.ru> <55eeca4c-9633-339a-f521-b0db462cc1d6@yandex.ru> <20191223100655.GA41651@admin.sibptus.ru> <3edbc7ad-a760-48c7-3222-202d7a835fe5@yandex.ru> <35fd51d5-c171-c97c-5bb2-529912d75844@grosbein.net> In-Reply-To: --7iawAjGC5uwbU4rYCyLICy3OgMyxe9W0Y Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 23.12.2019 14:08, Eugene Grosbein wrote: >>> Sample patch creates another sysctl but we should do it unconditional= ly, don't we? >> >> As I said I didn't find that other OSes do this. Linux has enabled by >> PMTUD by default, strongswan doesn't set SADB_SAFLAGS_NOPMTUDISC flag,= >> OpenBSD hasn't such quirk. Why should we add this instead of try to fi= x >> PMTUD? >=20 > RFC 2401 Appendix B https://tools.ietf.org/html/rfc2401#page-1-48 state= s > that packets generated by IPSec transport mode must be "fragmentable" o= ver the path > and this is incompatible with DF=3D1. I don't see such requirements here, I think you read this somewhere between lines :-) "If required, IP fragmentation occurs after IPsec processing within an IPsec implementation. Thus, transport mode AH or ESP is applied only to whole IP datagrams (not to IP fragments)." This is exactly how it works now. IPsec does encryption and passes ESP packet to IP stack, then it can be fragmented if it is allowed (i.e. no DF bit set). "An IP packet to which AH or ESP has been applied may itself be fragmented by routers en route, and such fragments MUST be reassembled prior to IPsec processing at a receiver." If fragmentation was allowed at previous step, the receiver will have several fragments that will be reassembled into single ESP packet, and then it will be decrypted and passed to IP stack. I.e. IPsec will not try to decrypt each fragment before reassembly. --=20 WBR, Andrey V. Elsukov --7iawAjGC5uwbU4rYCyLICy3OgMyxe9W0Y-- --BEnHe38VRz5HNzzA6cCprobamzcnlgn5y Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQEzBAEBCAAdFiEE5lkeG0HaFRbwybwAAcXqBBDIoXoFAl4ApNIACgkQAcXqBBDI oXqdfAgAurCgU4sjl/SETzuOtTmFA2IUM4usF949qtzikSMSmNqsF3qAIERbxgBH Pr+9eG2AnKR7FKEDP4J8DWl9AtAmHaB9GbUYL/rhk3XJD0xRxZVyZawtL4uSSAqm Zlx8A5lI47OYUgFT/8/9qQiM346GulyiUlOQKpZGAr5qJaI7zjEx7ZiFodJHb4zM gH55edOdH4iBfrAZZYGWlku9W0khhns1EUK75O5eDV6dWyQ+qYObb5abwoBbtN2o XoUzNyrGjThL+FPJKHyekr3q6yVcHVfBjQPnZniRiRd+UYpEbNVbwkxTON9tr36h gCPboiMvNyKJtl6U9EpSlcDPo0dlWg== =2yWo -----END PGP SIGNATURE----- --BEnHe38VRz5HNzzA6cCprobamzcnlgn5y--