[Openswan Users] DF flag on ESP packets

Alexander Samad alex at samad.com.au
Mon Oct 11 18:15:30 CEST 2004 

On Mon, Oct 11, 2004 at 08:24:23AM +0200, Marc H. Thoben wrote:
> On 11th of October 2004 at 12:12:53, Alexander Samad wrote:
> > > 
> > > I tcpdumped a lot and since all those friends are using dsl lines to
> > > connect to the internet, I came a point realizing, that the DF flag
> > > is the killing factor, because the 10mbit machine has a mtu of 1500
> > > and the dsl users have 1460 or 1492, depending on their provider.
> > > Synchronizing all mtus is not an option.
> > > 
> > 
> > why not set the mtu for the route with ip 
> 
> Hmmm.. ok, let me think, why _I_ don't like that solution, though it
> is valid and works as expected :) Thanks, good point !

or use iptable to clamp the mtu

> 
> 
> To be completely sure, you are talking about something like this on
> the machine with an mtu of 1500, right ?
> > ip route add <dsl-user-with-mtu-1492> via <default-gw> mtu 1492
> > ip route add <dsl-user-with-mtu-1460> via <default-gw> mtu 1460
> 
> 
> Let's say the ipsec.conf would take a connection parameter like
> leftmtu=NNNN:
> 
> A computer with an mtu of 1500 would have to know the mtu of each
> endpoint. If that endpoint has a lower mtu, the proper mtu
> (leftmtu=1492 or leftmtu=1460) would have to be specified. If that
> endpoint has the same mtu, nothing needs to, but leftmtu=1500 can be
> specified.
> 
> A computer with an mtu of 1492 also would have to know the mtu of
> each endpoint. If that endpoint has a lower mtu, the proper mtu
> (leftmtu=1460) would have to be specified. If that endpoint has the
> same or a higher mtu, nothing needs to, but leftmtu=1492 can be
> specified.
> 
> And so on...
> 
> 
> Of course, a maximum mtu for every computer could be specified with
> the ip command, but that'll create a whole lot of work, if i.e. a
> new hardware with a hilarious mtu of 576 joins the circle.
> 
> I have never before thought much about the mtu a network device
> uses.  Does it slow down the network or does it use extra cpu
> resources ?
> 
> 
> I haven't used many ipsec implementations, but klips ipsec and now
> the kernels ipsec. The klips ipsec implementation shows, that the
> ipsec tunnel works, without inheriting the inner packets' DF flags.
> 
> Now, I haven't entirely read the rfcs about esp, but I definitely
> don't like the idea, that one needs to work around something that
> is not needed in the first place.
> 
> 
> Worst case szenario:
> "hey, why not create an ipsec tunnel, so we can be sure no one is
> listening ?" - "Yeah, sure, good idea." - "Oh, errm, what was your
> mtu again ?" - "My what ?!" - "Well, your router's OS should mention
> it somewhere..." - (days later) "1492, but why do you need _that_ ?"
> - "Well, there is that DF flag, that.. blabla" ... ;-)
> 
> 
> -- 
> Best regards,
>   Marc
> 
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.openswan.org/pipermail/users/attachments/20041011/855b06b3/attachment.bin

More information about the Users mailing list