Date: Thu, 16 Jan 2020 16:39:38 +0300 From: "Andrey V. Elsukov" <bu7cher@yandex.ru> To: Victor Sudakov <vas@sibptus.ru>, freebsd-net@freebsd.org Cc: Michael Tuexen <tuexen@freebsd.org> Subject: Re: IPSec transport mode, mtu, fragmentation... Message-ID: <f9b7357e-ced1-4ce5-40d5-8e3dcad42442@yandex.ru> In-Reply-To: <4cc83b85-dd30-8c0d-330e-aa549ce98c98@yandex.ru> References: <20191220152314.GA55278@admin.sibptus.ru> <4cc83b85-dd30-8c0d-330e-aa549ce98c98@yandex.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--UdI63y4JQTEXyNrorslBaTkHKDLjaY5ti
Content-Type: multipart/mixed; boundary="lxdILHK8pmzGhibobjOpuOG0LiMgiYaAh";
protected-headers="v1"
From: "Andrey V. Elsukov" <bu7cher@yandex.ru>
To: Victor Sudakov <vas@sibptus.ru>, freebsd-net@freebsd.org
Cc: Michael Tuexen <tuexen@freebsd.org>
Message-ID: <f9b7357e-ced1-4ce5-40d5-8e3dcad42442@yandex.ru>
Subject: Re: IPSec transport mode, mtu, fragmentation...
References: <20191220152314.GA55278@admin.sibptus.ru>
<4cc83b85-dd30-8c0d-330e-aa549ce98c98@yandex.ru>
In-Reply-To: <4cc83b85-dd30-8c0d-330e-aa549ce98c98@yandex.ru>
--lxdILHK8pmzGhibobjOpuOG0LiMgiYaAh
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable
On 23.12.2019 15:00, Andrey V. Elsukov wrote:
> On 20.12.2019 18:23, Victor Sudakov wrote:
>> Dear Colleagues,
>>
>> I've set up IPSec in transport mode between two regular FreeBSD hosts,=
>> for testing. Now TCP sessions between those hosts don't work normally
>> any more. For example, scp is stalled almost immediately after startin=
g
>> a file transfer, and so is interactive ssh eventually.
>>
>> I feel that the problem is somehow related to MTU, MSS and fragmentati=
on
>> of ESP packets, because:
>>
>> 1. When IPSec is disabled, I can "ping -s1472 -D" the remote host all
>> right.=20
>>
>> 2. When IPSec is enabled, the maximum packet size I've been able to se=
nd
>> through is "ping -s1414 -D". ("ping -s1415 -D host-b" already disappea=
rs
>> in the void).
>=20
> I think the silence from ping is due to IPsec works asynchronously.
> I.e. when application sends data to the stack, it receives good feedbac=
k
> and thinks that data was send successful then it waits for reply.
> But IPsec consumes the data and then encrypted data will be send from
> crypto thread via callback. And now they can not be fragmented due to
> IP_DF bit, but there are no app waiting for this error code.
>=20
> Similar problem is with TCP. Probably we can try to send PRC_MSGSIZE
> notify when EMSGSIZE is returned from ip_output(). At least for TCP.
Hi,
I prepared the PoC patch that should fix the problem with TCP and
transport mode IPsec. But I have not free time currently to properly
test and debug it. It is only compile-tested. But If you want, you can
try :)
Currently only IPv4 support is implemented.
https://people.freebsd.org/~ae/ipsec_transport_mode_ctlinput.diff
--=20
WBR, Andrey V. Elsukov
--lxdILHK8pmzGhibobjOpuOG0LiMgiYaAh--
--UdI63y4JQTEXyNrorslBaTkHKDLjaY5ti
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQEzBAEBCAAdFiEE5lkeG0HaFRbwybwAAcXqBBDIoXoFAl4gZ5oACgkQAcXqBBDI
oXoW4Af8CBfDEcD9xj6PJ7etRJwiQiTjI5j5SD8NhSTwxZpRLUsIN3V9FCeeivcM
QrYh32Gtgu/QijHQaTZlLo6kdRpfXHDzG6GDXXW3MI1y/lANlwAz7zfMTKB/fgjk
XoOE/oho35dVFS8xKFNfoAXFiEGN9AtpAp75oOFvze8dlVvxS5CnxSZ5R3XHWBnw
IbqltrZxJguCRFcdyazchAcHNzgLlL7WOzXmlCkMS1UhHbgVv5qWxJacbBu1scg6
loIccnu0PhEgxEqhxgq19ruF+nsgHdHhVTNnqdia6egmHEHoyzHhMd5e7jnC+cj2
TuOM+QCdbCs2bbhzvE63OEqH0m2j+w==
=UuVz
-----END PGP SIGNATURE-----
--UdI63y4JQTEXyNrorslBaTkHKDLjaY5ti--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?f9b7357e-ced1-4ce5-40d5-8e3dcad42442>