Date: Sun, 19 Jan 2020 15:07:07 +0700 From: Victor Sudakov <vas@sibptus.ru> To: Julian Elischer <julian@freebsd.org> Cc: Eugene Grosbein <eugen@grosbein.net>, freebsd-net@freebsd.org, "Andrey V. Elsukov" <bu7cher@yandex.ru>, Michael Tuexen <tuexen@freebsd.org> Subject: Re: IPSec transport mode, mtu, fragmentation... Message-ID: <20200119080707.GB63055@admin.sibptus.ru> In-Reply-To: <20200119033843.GB54797@admin.sibptus.ru> References: <f9b7357e-ced1-4ce5-40d5-8e3dcad42442@yandex.ru> <d263a709-63cf-7da5-1747-8a6791f6503f@grosbein.net> <20200116155305.GA465@admin.sibptus.ru> <55f7bafa-24c4-9810-0d21-f82cb332ee2d@grosbein.net> <20200116160745.GA1356@admin.sibptus.ru> <72355e03-1cf8-c58f-3aec-b0a21e631870@grosbein.net> <20200117093645.GA51899@admin.sibptus.ru> <70b0b855-189b-03c2-0712-fc1e35640702@grosbein.net> <c7f5828b-3678-b432-47a8-75afada5bd9e@freebsd.org> <20200119033843.GB54797@admin.sibptus.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
--Y7xTucakfITjPcLV Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Victor Sudakov wrote: > Julian Elischer wrote: > > >=20 > > > > Back to the point. I've figured out that both encrypted (in transpo= rt > > > > mode) and unencrypted TCP segments have the same MSS=3D1460. Then I= 'm > > > > completely at a loss how the encrypted packets avoid being fragment= ed. > > > > TCP has no way to know in advance that encryption overhead will be > > > > added. >=20 > > Using multiple routing tables we could add a mechanism to the ipsec > > code so that encapsulated sessions are referred to one routing table > > and that the "envelope" routes are referencing another (specified in > > ipsec setup) routing table.=A0 The two routing tables would have differ= ent > > MTUs.=A0 This mechanism/framework would also be useful for other > > tunneling protocols in general. >=20 > I think before inventing something so innovative and clever, we should > look at how IPSec transport mode and MTU adjustment is implemented in > other OSes (OpenBSD, Linux, even Windows). Any experts? Maybe I've created much ado about nothing? In *transport* mode, the packet payload above the IP level (TCP+FTP in our case) is replaced by the encrypted payload.=20 Probably this transformation should not cause any increase in payload size because AFAIK a symmetric cipher does not increase the message size (i.e. the encrypted message is not bigger than the cleartext). OTOH, there is added information is the 4 bytes of SPI and 4 bytes of ESP sequence number, correct? So the payload should grow 8 bytes. Is this enough to make the packet too large? --=20 Victor Sudakov, VAS4-RIPE, VAS47-RIPN 2:5005/49@fidonet http://vas.tomsk.ru/ --Y7xTucakfITjPcLV Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEcBAEBAgAGBQJeJA4rAAoJEA2k8lmbXsY0qn8H/jE6j++Ao5EMJ08Ua1E2traK sHGFawL0Buzu7q8t5M+/gJN74VOM1ufH3mXEDYmPWjkGs+3ow/xks1Uaaz/AGzr5 Fa1p33HEyWGeWvkl26wkJB0pRtJrF5XtBrJUnC895pY31SnTzU14k08IKoI9jvnn S4qdVQBVcQqdJB0TTzV5nMKsy9s4k/WqsNE0rmMQ04+ZcTMWe8MEK5oYm4vpQewD emDzJ4eHzI7Z4S8j87IhCIRv9ydlgMTH+K9tZWV4J9XZCPtpJgJnQ0Wo3FdeZbyu FyYW+HPk7D0M7L+EirYaJqGSJ7DG4evFhYelOpgohAiGQQfX5mj5DgyjXAICfP4= =eJpe -----END PGP SIGNATURE----- --Y7xTucakfITjPcLV--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20200119080707.GB63055>