Date: Mon, 23 Dec 2019 14:00:16 +0300 From: "Andrey V. Elsukov" <bu7cher@yandex.ru> To: Eugene Grosbein <eugen@grosbein.net>, Victor Sudakov <vas@sibptus.ru> Cc: freebsd-net@freebsd.org, Michael Tuexen <tuexen@freebsd.org> Subject: Re: IPSec transport mode, mtu, fragmentation... Message-ID: <bbaa6ae8-e1f6-1aaf-9291-7dbfc7b9b419@yandex.ru> In-Reply-To: <35fd51d5-c171-c97c-5bb2-529912d75844@grosbein.net> References: <20191220152314.GA55278@admin.sibptus.ru> <f38d1f3c-dc47-0776-29f9-2151b05e09b0@tuxpowered.net> <20191220160357.GB56081@admin.sibptus.ru> <20191220162233.GA56815@admin.sibptus.ru> <55eeca4c-9633-339a-f521-b0db462cc1d6@yandex.ru> <20191223100655.GA41651@admin.sibptus.ru> <3edbc7ad-a760-48c7-3222-202d7a835fe5@yandex.ru> <35fd51d5-c171-c97c-5bb2-529912d75844@grosbein.net>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --UCStypbEvRrpA0iymJIG0giG88It5b8oJ Content-Type: multipart/mixed; boundary="BjGOyLNd8gyyJel40COoVHXrSIwzmhsdG"; protected-headers="v1" From: "Andrey V. Elsukov" <bu7cher@yandex.ru> To: Eugene Grosbein <eugen@grosbein.net>, Victor Sudakov <vas@sibptus.ru> Cc: freebsd-net@freebsd.org, Michael Tuexen <tuexen@freebsd.org> Message-ID: <bbaa6ae8-e1f6-1aaf-9291-7dbfc7b9b419@yandex.ru> Subject: Re: IPSec transport mode, mtu, fragmentation... References: <20191220152314.GA55278@admin.sibptus.ru> <f38d1f3c-dc47-0776-29f9-2151b05e09b0@tuxpowered.net> <20191220160357.GB56081@admin.sibptus.ru> <20191220162233.GA56815@admin.sibptus.ru> <55eeca4c-9633-339a-f521-b0db462cc1d6@yandex.ru> <20191223100655.GA41651@admin.sibptus.ru> <3edbc7ad-a760-48c7-3222-202d7a835fe5@yandex.ru> <35fd51d5-c171-c97c-5bb2-529912d75844@grosbein.net> In-Reply-To: <35fd51d5-c171-c97c-5bb2-529912d75844@grosbein.net> --BjGOyLNd8gyyJel40COoVHXrSIwzmhsdG Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 23.12.2019 13:55, Eugene Grosbein wrote: >> I think the real problem is that PMTUD doesn't work correctly with >> IPsec. Linux has special sysctl variabl ip_no_pmtu_disc and flag >> SADB_SAFLAGS_NOPMTUDISC for SA that can disable PMTUD for IPv4 and IP_= DF >> flag will not be set. We can add some similar quirks, but it would be >> better to fix PMTUD. We already have hundreds sysctl in our system and= >> remembering all them is a problem too. >=20 > It's true that PMTUD does not work with IPSec transport mode. >=20 > I think we could just clear DF bit off encapsulated transport mode pack= ets unconditionally, > please take a look at last chunk of sample patch in the PR 242744: > https://bz-attachments.freebsd.org/attachment.cgi?id=3D210122 >=20 > Sample patch creates another sysctl but we should do it unconditionally= , don't we? As I said I didn't find that other OSes do this. Linux has enabled by PMTUD by default, strongswan doesn't set SADB_SAFLAGS_NOPMTUDISC flag, OpenBSD hasn't such quirk. Why should we add this instead of try to fix PMTUD? --=20 WBR, Andrey V. Elsukov --BjGOyLNd8gyyJel40COoVHXrSIwzmhsdG-- --UCStypbEvRrpA0iymJIG0giG88It5b8oJ Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQEyBAEBCAAdFiEE5lkeG0HaFRbwybwAAcXqBBDIoXoFAl4AnkAACgkQAcXqBBDI oXrJXQf4qb/Ev25S+z0C1LTleyhJoiGsCJGtOeAufeEzdDYaVLM5VlAVlsO6jNsO /fkZxq+TMSaAYTdOn6WxRhDHC6aiNkBOP34X+OvIaDULJ+eMQf0t/O3UZtQ1j7ev NuxZwSBwKPh/dC0fDD+fNjMa0DkrqOM3C5jYyD9B00G3yywLisD1GgZtBj1qghC0 nvmGAoZpnfodmBUPWjhihICHFa1Vff2xDVQu+7ez+kB1glNp5qWVf8DcCrCwpIB7 Ah9Kmo7EpBLTEMME3/MQPfN9J0xkpajGdUL7gWKMjQzYjQjBHYF7eE4T5ZSQps+c S035jVxaOe6VuXbdih7hlG9up1Hk =HaMU -----END PGP SIGNATURE----- --UCStypbEvRrpA0iymJIG0giG88It5b8oJ--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bbaa6ae8-e1f6-1aaf-9291-7dbfc7b9b419>