Date: Fri, 4 Jan 2002 09:27:33 -0000 From: "Tariq Rashid" <tariq@inty.net> To: <freebsd-net@freebsd.org> Subject: KAME ipsec and mtu (via gif) - no icmp frag needed Message-ID: <MPENKFCCIIDAJKJJOLBHOEDFCFAA.tariq@inty.net> In-Reply-To: <20020104085712.GA88991@cairo.zsat.net>
next in thread | previous in thread | raw e-mail | index | archive | help
this is a question about the correct way to handle MTUs and fragmentation when using IPSEC on FreeBSD4.4R I'm routing via a local gif0 tunnel which has aliases added to it for multiple destinations... and the KAME ipsec code grabs the packets just after they enter the gif0 device. In fact the ipsec SAs are handled by a port of the openbsd isakmpd. There is no problem here. Now, a standard ping packet is small enough to go through the ipsec encapsulation and not require fragmentation. However, a larger ping packet, or say, an ftp transfer, does cause fragmentation to occur such that one normal packet is broken into two packets and then the ipsec headers are added. The resulting ipsec esp packets are below the mtu limit (of 1500). This is also fine. But i was wondering why the kame ipsec code does not send an icmp error message to the sender informing it of the need to defragment. The sender would then send smaller chunks resulting in no fragmentation. I think this is normal for plain IP communication? any ideas gratefully received... or am i configuring it wrong? i have experimented with the mtu of the external interfaces and the gif devices too. tariq ----------------------------------------------- Information in this electronic mail message is confidential and may be legally privileged. It is intended solely for the addressee. Access to this message by anyone else is unauthorised. If you are not the intended recipient any use, disclosure, copying or distribution of this message is prohibited and may be unlawful. When addressed to our customers, any information contained in this message is subject to Intelligent Network Technology Ltd Terms & Conditions. ----------------------------------------------- Take part in the intY 2001 Email Usage survey online at http://www.inty.net/email/survey.html ----------------------------------------------- intY has automatically scanned this email with Sophos Anti-Virus (www.inty.net) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?MPENKFCCIIDAJKJJOLBHOEDFCFAA.tariq>