[Openswan Users] MTU again (netkey fragmentation)
Benny Amorsen
benny+usenet at amorsen.dk
Wed Feb 28 14:53:00 EST 2007
>>>>> "HS" == Harald Scharf <h.scharf at nestec.at> writes:
HS> Problem: Servers, with services where fragmentation is not allowed
HS> (DF). In my case: Client sends a query to a server (https) ->
HS> Server answers with https (DF). Packet arrives openswan box -> Box
HS> sends (fragment) -> Server says NO, and that is the end of the
HS> communication.
The server told us not to fragment. It set the DF bit, which means
Don't Fragment. KLIPS fragments anyway, despite what the RFC's say,
because there are a lot of broken boxes out there, or at least there
were 5 years ago. Netkey sticks with the RFC's.
The server can't tell us not to fragment and then refuse to fragment.
That fundamentally can't work. Fortunately practically every OS gets
this right, so that is very rarely a problem. The problem is with 99%
certainty that the server never receives the ICMP Fragmentation
Needed, and therefore it doesn't realize that it needs to send smaller
packets.
Of course sometimes the broken firewall is at the other end of the
Internet. Then you need to do ugly stuff to make things work out
anyway. But so far you haven't found the broken firewall, and until
you do, it's pointless to talk about workarounds.
/Benny
More information about the Users
mailing list