From: stephen@dino.dnsalias.com (Stephen J. Bevan)
To: David Miller <davem@davemloft.net>
Cc: stephen@dino.dnsalias.com, pjf@asn.pl, netdev@vger.kernel.org
Subject: Re: [RFC] Ethernet Cheap Cryptography
Date: Fri, 20 Oct 2006 19:17:42 -0700 [thread overview]
Message-ID: <17721.33606.219025.313449@localhost.localdomain> (raw)
In-Reply-To: <20061019.195921.31639913.davem@davemloft.net>
David Miller writes:
> From: stephen@dino.dnsalias.com (Stephen J. Bevan)
> Date: Thu, 19 Oct 2006 19:18:41 -0700
>
> > Pawel Foremski writes:
> > > Secondly, IPsec won't decrease MSS in TCP encapsulated in PPPoE
> > > traffic, for example.
> >
> > Various, commercial, IPsec products decrease the MSS for TCP
> > encapsulated in PPPoE. I've not checked the Linux 2.6 IPsec code to
> > see if it does or if it can easily be made to.
>
> Linux will for local TCP connections over IPSEC transports since it
> knows the path MTU, for IPSEC gateways the source system will adjust
> the MSS after it notes via path-MTU what the decreased MTU is.
path-MTU gets interesting[1] in the context of an an IPsec gateway
(i.e. tunnel mode IPsec) and there is definitely variability as to how
reliably an ICMP will be returned in the case that the MTU is exceeded
somewhere between the two endpoints. Throw in port/protocol based
selectors[2] or IPv4(IPv6) traffic encrypted with an IPv6(IPv4)
header[3] and the chances of success go down.
Users ussually don't tend to care whose IPsec is at fault, they just
want things to work. Thus, having tunnel mode IPsec alter the MSS (of
non-local traffic) to take account of the encryption (or PPPoE,
... etc.) overhead smooths over most fragmentation issues.
----------
[1] as detailed in the length Appendix B of RFC 2401.
[2] some IPsec implementation won't correctly match an ICMP up against
port/protocol based selectors and so the ICMP is lost.
[3] mapping the DF bit is left to implementations, some reset the DF
bit and so just fragment.
next prev parent reply other threads:[~2006-10-21 2:18 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-10-15 16:20 [RFC] Ethernet Cheap Cryptography Dawid Ciezarkiewicz
2006-10-15 21:35 ` James Morris
2006-10-15 22:15 ` Dawid Ciezarkiewicz
2006-10-18 3:21 ` Stephen J. Bevan
2006-10-18 3:25 ` David Miller
2006-10-18 9:51 ` Dawid Ciezarkiewicz
2006-10-18 10:16 ` David Miller
2006-10-18 11:35 ` Dawid Ciezarkiewicz
2006-10-18 9:15 ` Dawid Ciezarkiewicz
2006-10-18 14:31 ` Dawid Ciezarkiewicz
2006-10-19 3:57 ` Stephen J. Bevan
2006-10-19 15:58 ` Pawel Foremski
2006-10-20 2:18 ` Stephen J. Bevan
2006-10-20 2:59 ` David Miller
2006-10-21 2:17 ` Stephen J. Bevan [this message]
2006-10-21 2:20 ` David Miller
2006-10-20 20:18 ` Pawel Foremski
2006-10-21 1:58 ` Stephen J. Bevan
2006-10-21 2:28 ` Stephen Hemminger
2006-10-21 15:33 ` Pawel Foremski
2006-10-21 15:12 ` Pawel Foremski
2006-10-22 0:05 ` Stephen J. Bevan
2006-10-20 19:50 ` Dawid Ciezarkiewicz
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=17721.33606.219025.313449@localhost.localdomain \
--to=stephen@dino.dnsalias.com \
--cc=davem@davemloft.net \
--cc=netdev@vger.kernel.org \
--cc=pjf@asn.pl \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).