[Openswan dev] Missing packet id on ESP packets breaks fragment reassembly

Michael Richardson mcr at sandelman.ottawa.on.ca
Fri Jul 29 19:07:37 CEST 2005


-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "Peter" == Peter Lenci <peterlenci at yahoo.ca> writes:
    >> Well, two things: a) If you set DF, then you should not set the
    >> ID.

    Peter> Hmm... that is your opinion! There are extended threads just
    Peter> about this subject (eg

  Actually, I tend to disagree with the view, but it is correct
according to RFC.  I do want to permit the outgoing packet to be
fragmented if necessary.

  We have generally, created oversize ESP packets without DF set, and
permitted them to be fragmented. This violates RFC2003 (we would
fragment the ESP even if the inner packet had DF set), the occurance of
ICMP lossage means that this has been required.

  We intend to become compliant to the new PMTU rules the the WG wrote
last year.

    Peter> Could you please do me a favor and run the following tcpdump
    Peter> command on your physical interface and tell me wether you get
    Peter> any output when sending large ICMP echo packets through the
    Peter> tunnel? Because if you do see anything then your setup is
    Peter> broken too...

  Yes, I will do this.

  Can you tell me which kernel you are working with?

- -- 
] Michael Richardson          Xelerance Corporation, Ottawa, ON |  firewalls  [
] mcr @ xelerance.com           Now doing IPsec training, see   |net architect[
] http://www.sandelman.ca/mcr/    www.xelerance.com/training/   |device driver[
]                    I'm a dad: http://www.sandelman.ca/lrmr/                 [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBQuqoqIqHRg3pndX9AQHPOwP/Qje/QcAY6p1By6tsa+dfpNXFXUetLz44
SQCLv/D+O7gnCRcEhU/HwGZeqc1bYt89hltD67O0nENGIJtJ10azEgsQMhfPpZwa
FK177s7RfEZeZURg/JWO2dqL7MaaCJ7XTD13hV4oHrgVO5oVgNLqnmzJgIs9GsS5
bQ3lqksh/60=
=grff
-----END PGP SIGNATURE-----


More information about the Dev mailing list