[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Question on TCP MSS with repsect to IPSEC

To: Naganand Doraswamy <naganand@ftp.com>
Subject: Re: Question on TCP MSS with repsect to IPSEC
From: Matt Crawford <crawdad@fnal.gov>
Date: Wed, 31 Jul 1996 13:28:58 -0500
Cc: ipsec@TIS.COM, solensky@ftp.com
In-Reply-To: "31 Jul 1996 13:05:31 EDT."<"2.2.32.19960731170531.00ae3200"@mailserv-H.ftp.com>
Sender: ipsec-approval@neptune.tis.com

This looks obviously correct, but consider RFC1122 section 4.2.2.6.
The sender of a TCP segment must subtract the length of the IP and
TCP options that it intends to send from the MSS advertised by the
remote node.  (I caught one vendor in error this year on this point.)
In light of this, I think the opposite choice should be correct: The
sender of a packet with AH and/or ESP headers must subtract the sizes
of those headers from the remote node's MSS.

Besides, I'm not convinced that the TCP on the other end will always
and everywhere be able to know in advance the size of the AH+ESP
headers which your end will use for each packet.
_________________________________________________________
Matt Crawford          crawdad@fnal.gov          Fermilab
  PGP: D5 27 83 7A 25 25 7D FB  09 3C BA 33 71 C4 DA 6A
Naganand Doraswamy:
> When we adverstise MSS for TCP connections, am I right in saying that the
> MSS value should take into account the ESP and AH header and data.
> 
> For example if the MTU is 576, and the AH header+data is 24 bytes and ESP
> header +data 20 bytes (assuming 8 bytes padding), then the MSS I announce
> should be (576 - 40 - 24 - 20).

Prev by Date: Question on TCP MSS with repsect to IPSEC
Next by Date: Re: Question on TCP MSS with repsect to IPSEC
Prev by thread: Question on TCP MSS with repsect to IPSEC
Next by thread: Re: Question on TCP MSS with repsect to IPSEC
Index(es):
- Main
- Thread