Date: Mon, 23 Dec 2019 13:45:54 +0300 From: "Andrey V. Elsukov" <bu7cher@yandex.ru> To: Victor Sudakov <vas@sibptus.ru> Cc: freebsd-net@freebsd.org, Michael Tuexen <tuexen@freebsd.org> Subject: Re: IPSec transport mode, mtu, fragmentation... Message-ID: <3edbc7ad-a760-48c7-3222-202d7a835fe5@yandex.ru> In-Reply-To: <20191223100655.GA41651@admin.sibptus.ru> References: <20191220152314.GA55278@admin.sibptus.ru> <f38d1f3c-dc47-0776-29f9-2151b05e09b0@tuxpowered.net> <20191220160357.GB56081@admin.sibptus.ru> <20191220162233.GA56815@admin.sibptus.ru> <55eeca4c-9633-339a-f521-b0db462cc1d6@yandex.ru> <20191223100655.GA41651@admin.sibptus.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --vB3DVENdtGX0RyZxIniKZqEz8ABXtOwnL Content-Type: multipart/mixed; boundary="twKPYtdNEZrAzN9RFIOq1SQGc0c2QckI4"; protected-headers="v1" From: "Andrey V. Elsukov" <bu7cher@yandex.ru> To: Victor Sudakov <vas@sibptus.ru> Cc: freebsd-net@freebsd.org, Michael Tuexen <tuexen@freebsd.org> Message-ID: <3edbc7ad-a760-48c7-3222-202d7a835fe5@yandex.ru> Subject: Re: IPSec transport mode, mtu, fragmentation... References: <20191220152314.GA55278@admin.sibptus.ru> <f38d1f3c-dc47-0776-29f9-2151b05e09b0@tuxpowered.net> <20191220160357.GB56081@admin.sibptus.ru> <20191220162233.GA56815@admin.sibptus.ru> <55eeca4c-9633-339a-f521-b0db462cc1d6@yandex.ru> <20191223100655.GA41651@admin.sibptus.ru> In-Reply-To: <20191223100655.GA41651@admin.sibptus.ru> --twKPYtdNEZrAzN9RFIOq1SQGc0c2QckI4 Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 23.12.2019 13:06, Victor Sudakov wrote: >> ESP xform for transport mode just replaces protocol in IP header and >> adds some info to the end of a packet. >=20 > It is rather easy to verify your theory. If you are right, then > disabling net.inet.tcp.path_mtu_discovery globally should remove the DF= > flags from the ESP packets too, right? >=20 > Of course, net.inet.tcp.path_mtu_discovery=3D0 is not a solution, it's = just > a way to check the origin of the DF flag. >=20 > And if you are right, what does it mean to us? Did you see > https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D242744 already ? >=20 > My ultimate wish is to make transport mode work out of the box, without= > any workarounds like additional host routes or firewall rules. I think the real problem is that PMTUD doesn't work correctly with IPsec. Linux has special sysctl variabl ip_no_pmtu_disc and flag SADB_SAFLAGS_NOPMTUDISC for SA that can disable PMTUD for IPv4 and IP_DF flag will not be set. We can add some similar quirks, but it would be better to fix PMTUD. We already have hundreds sysctl in our system and remembering all them is a problem too. --=20 WBR, Andrey V. Elsukov --twKPYtdNEZrAzN9RFIOq1SQGc0c2QckI4-- --vB3DVENdtGX0RyZxIniKZqEz8ABXtOwnL Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQEzBAEBCAAdFiEE5lkeG0HaFRbwybwAAcXqBBDIoXoFAl4AmuIACgkQAcXqBBDI oXqDJQgAniobFwJiQ4k7VKwX0hVcjsaBmtM2b9b0lvzCCzZ2QW3Y6UGGmjCFoyWB pq1f+4iykGmSkMpVwkP5PTpzjqLw7R2Lqs3zHmPEG7gGOgbZ0PUGHkBuBKD9AC88 FAF863H3DqghTBqcjaXsEiQfUYIrhyXlnCjIHhVHgjtpIqJ2kd84ma+El5c+HZrN UcINPcSKmY7mEfC78uwsz5XH7g7qA7LkA39fLXT6gGP23VSKQpIO/w3IA5Vm+bOF 5YQEZUAz+ux9bqesmqNmQ9wqyRR6L+BjOq1HKbyilE8vhD2JA4vXIcSkLtknbbzn yaR8zy4VmC81fhft2NWtJzaKB1x7Wg== =zzD1 -----END PGP SIGNATURE----- --vB3DVENdtGX0RyZxIniKZqEz8ABXtOwnL--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3edbc7ad-a760-48c7-3222-202d7a835fe5>