[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Question on TCP MSS with repsect to IPSEC

To: ipsec@TIS.COM
Subject: Re: Question on TCP MSS with repsect to IPSEC
From: Rob Adams <adams@tgv.com>
Date: Wed Jul 31 14:01:01 1996
Cc: naganand@ftp.com
Sender: ipsec-approval@neptune.tis.com

I believe Mr. Crawford is correct.  The sender's idea of the MTU for a particular
route, moreso than the MSS, should be decremented by the amount of IPSEC header 
bytes needed. This also must be done on a per-association basis.

This becomes an interesting problem though when you are speaking to a host with 
one association and then form another with different transforms.

Optimally you would want to keep the number of bytes you can send as large as
possible.  So, if I have an association with a host that requires AH with MD5 
and no replay, I would want to shave off 24 bytes. 

If I form another association with that host that requires AH with SHA and replay,
then I want to shave off 32 bytes.  Bookkeeping the fact that I've already shaved
off 24 and only need to drop down an extra 8 is the interesting part.

This becomes even more interesting if we want to keep per-association pad boundary
data, not to mention tunnels.

==============================================================================
Rob Adams                            101 Cooper St.
Cisco Systems                        Santa Cruz, CA 95060
adams@cisco.com


 

> 
> This looks obviously correct, but consider RFC1122 section 4.2.2.6.
> The sender of a TCP segment must subtract the length of the IP and
> TCP options that it intends to send from the MSS advertised by the
> remote node.  (I caught one vendor in error this year on this point.)
> In light of this, I think the opposite choice should be correct: The
> sender of a packet with AH and/or ESP headers must subtract the sizes
> of those headers from the remote node's MSS.
> 
> Besides, I'm not convinced that the TCP on the other end will always
> and everywhere be able to know in advance the size of the AH+ESP
> headers which your end will use for each packet.
> _________________________________________________________
> Matt Crawford          crawdad@fnal.gov          Fermilab
>   PGP: D5 27 83 7A 25 25 7D FB  09 3C BA 33 71 C4 DA 6A
> Naganand Doraswamy:
> > When we adverstise MSS for TCP connections, am I right in saying that the
> > MSS value should take into account the ESP and AH header and data.
> > 
> > For example if the MTU is 576, and the AH header+data is 24 bytes and ESP
> > header +data 20 bytes (assuming 8 bytes padding), then the MSS I announce
> > should be (576 - 40 - 24 - 20).
>

Follow-Ups:

Re: Question on TCP MSS with repsect to IPSEC

From: Bill Sommerfeld <sommerfeld@apollo.hp.com>

Prev by Date: DNS? was Re: Key Management, anyone?
Prev by thread: Re: Question on TCP MSS with repsect to IPSEC
Next by thread: Re: Question on TCP MSS with repsect to IPSEC
Index(es):
- Main
- Thread