[Openswan Users] DF flag on ESP packets

Marc H. Thoben chojin at gmx.net
Mon Oct 11 09:24:23 CEST 2004


On 11th of October 2004 at 12:12:53, Alexander Samad wrote:
> > 
> > I tcpdumped a lot and since all those friends are using dsl lines to
> > connect to the internet, I came a point realizing, that the DF flag
> > is the killing factor, because the 10mbit machine has a mtu of 1500
> > and the dsl users have 1460 or 1492, depending on their provider.
> > Synchronizing all mtus is not an option.
> > 
> 
> why not set the mtu for the route with ip 

Hmmm.. ok, let me think, why _I_ don't like that solution, though it
is valid and works as expected :) Thanks, good point !


To be completely sure, you are talking about something like this on
the machine with an mtu of 1500, right ?
> ip route add <dsl-user-with-mtu-1492> via <default-gw> mtu 1492
> ip route add <dsl-user-with-mtu-1460> via <default-gw> mtu 1460


Let's say the ipsec.conf would take a connection parameter like
leftmtu=NNNN:

A computer with an mtu of 1500 would have to know the mtu of each
endpoint. If that endpoint has a lower mtu, the proper mtu
(leftmtu=1492 or leftmtu=1460) would have to be specified. If that
endpoint has the same mtu, nothing needs to, but leftmtu=1500 can be
specified.

A computer with an mtu of 1492 also would have to know the mtu of
each endpoint. If that endpoint has a lower mtu, the proper mtu
(leftmtu=1460) would have to be specified. If that endpoint has the
same or a higher mtu, nothing needs to, but leftmtu=1492 can be
specified.

And so on...


Of course, a maximum mtu for every computer could be specified with
the ip command, but that'll create a whole lot of work, if i.e. a
new hardware with a hilarious mtu of 576 joins the circle.

I have never before thought much about the mtu a network device
uses.  Does it slow down the network or does it use extra cpu
resources ?


I haven't used many ipsec implementations, but klips ipsec and now
the kernels ipsec. The klips ipsec implementation shows, that the
ipsec tunnel works, without inheriting the inner packets' DF flags.

Now, I haven't entirely read the rfcs about esp, but I definitely
don't like the idea, that one needs to work around something that
is not needed in the first place.


Worst case szenario:
"hey, why not create an ipsec tunnel, so we can be sure no one is
listening ?" - "Yeah, sure, good idea." - "Oh, errm, what was your
mtu again ?" - "My what ?!" - "Well, your router's OS should mention
it somewhere..." - (days later) "1492, but why do you need _that_ ?"
- "Well, there is that DF flag, that.. blabla" ... ;-)


-- 
Best regards,
  Marc



More information about the Users mailing list