Date: Mon, 23 Dec 2019 15:00:25 +0300 From: "Andrey V. Elsukov" <bu7cher@yandex.ru> To: Victor Sudakov <vas@sibptus.ru>, freebsd-net@freebsd.org Cc: Michael Tuexen <tuexen@freebsd.org> Subject: Re: IPSec transport mode, mtu, fragmentation... Message-ID: <4cc83b85-dd30-8c0d-330e-aa549ce98c98@yandex.ru> In-Reply-To: <20191220152314.GA55278@admin.sibptus.ru> References: <20191220152314.GA55278@admin.sibptus.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--3TsaGJrjHF4YUPYrQg9oZwt19HepEHhSe
Content-Type: multipart/mixed; boundary="Yi6DuFh0QyUTTfo4HwEcTWxLYjtZuTRYO";
protected-headers="v1"
From: "Andrey V. Elsukov" <bu7cher@yandex.ru>
To: Victor Sudakov <vas@sibptus.ru>, freebsd-net@freebsd.org
Cc: Michael Tuexen <tuexen@freebsd.org>
Message-ID: <4cc83b85-dd30-8c0d-330e-aa549ce98c98@yandex.ru>
Subject: Re: IPSec transport mode, mtu, fragmentation...
References: <20191220152314.GA55278@admin.sibptus.ru>
In-Reply-To: <20191220152314.GA55278@admin.sibptus.ru>
--Yi6DuFh0QyUTTfo4HwEcTWxLYjtZuTRYO
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable
On 20.12.2019 18:23, Victor Sudakov wrote:
> Dear Colleagues,
>=20
> I've set up IPSec in transport mode between two regular FreeBSD hosts,
> for testing. Now TCP sessions between those hosts don't work normally
> any more. For example, scp is stalled almost immediately after starting=
> a file transfer, and so is interactive ssh eventually.
>=20
> I feel that the problem is somehow related to MTU, MSS and fragmentatio=
n
> of ESP packets, because:
>=20
> 1. When IPSec is disabled, I can "ping -s1472 -D" the remote host all
> right.=20
>=20
> 2. When IPSec is enabled, the maximum packet size I've been able to sen=
d
> through is "ping -s1414 -D". ("ping -s1415 -D host-b" already disappear=
s
> in the void).
I think the silence from ping is due to IPsec works asynchronously.
I.e. when application sends data to the stack, it receives good feedback
and thinks that data was send successful then it waits for reply.
But IPsec consumes the data and then encrypted data will be send from
crypto thread via callback. And now they can not be fragmented due to
IP_DF bit, but there are no app waiting for this error code.
Similar problem is with TCP. Probably we can try to send PRC_MSGSIZE
notify when EMSGSIZE is returned from ip_output(). At least for TCP.
--=20
WBR, Andrey V. Elsukov
--Yi6DuFh0QyUTTfo4HwEcTWxLYjtZuTRYO--
--3TsaGJrjHF4YUPYrQg9oZwt19HepEHhSe
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQEzBAEBCAAdFiEE5lkeG0HaFRbwybwAAcXqBBDIoXoFAl4ArFkACgkQAcXqBBDI
oXrCjQf/RX5mgwY7WgtglYDxlzuM9aS662LtbrgbRjshs2HkMUMd6FGj68/yy0P7
fdu/F2XUsXxu76UwF84u6F7NXA3wXJVuBHeG0wcY+WzN/XFjCyvPPaV+XiCEG8xW
Fe4eNKukkhGhjJDa32V6gJZt8XP4uWefCK6lATwZATVm8uGN/8MW789Gns1sKq7H
4u7hNSPobhntDiDZ1L/lrAbwVBtznWDzye28zzD9YCU0okqyH2emx7tzmTtfT/Uf
QorihC/bjBH2CX28d10s3xzDG5USrdcj6V35yNO/VKh9JjLcVdLUOLgcFvdiJvgj
DWEDvyYprAAxIXzWMcQCdhE4yCON2Q==
=PgZu
-----END PGP SIGNATURE-----
--3TsaGJrjHF4YUPYrQg9oZwt19HepEHhSe--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4cc83b85-dd30-8c0d-330e-aa549ce98c98>