[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Question on TCP MSS with repsect to IPSEC

To: Phil Karn <karn@qualcomm.com>
Subject: Re: Question on TCP MSS with repsect to IPSEC
From: Matt Crawford <crawdad@fnal.gov>
Date: Thu, 01 Aug 1996 09:11:30 -0500
Cc: adams@tgv.com, ipsec@TIS.COM, naganand@ftp.com
In-Reply-To: "01 Aug 1996 05:08:09 PDT."<"199608011208.FAA18604"@servo.qualcomm.com>
MMDF-Warning: Unable to confirm address in preceding line at neptune.TIS.COM
Sender: ipsec-approval@neptune.tis.com

> You can only do so much to reduce TCP segment sizes to account for
> IPSEC headers. Especially since a very common (if not the single most
> important) case of tunnel mode assumes a TCP that knows nothing about
> IPSEC.

Pardon my cloddish opinion, but I think that's the EASY case.  The
tunnel's far end will decapsulate and the receiver will find its MSS
has been respected.

> The best you can really hope for is Path MTU support on the sending
> TCP that will respond appropriately to ICMP messages from an IPSEC
> tunnel endpoint that knows what its next hop interface MTU is after
> being adjusted for IPSEC overhead.

I think we've all been presuming an implicit MIN(PMTU, MSS+10*ip->ip_v).
_________________________________________________________
Matt Crawford          crawdad@fnal.gov          Fermilab
  PGP: D5 27 83 7A 25 25 7D FB  09 3C BA 33 71 C4 DA 6A

Prev by Date: Re: Question on TCP MSS with repsect to IPSEC
Next by Date: Re: Key Management, anyone? (DNS keying)
Prev by thread: Re: Question on TCP MSS with repsect to IPSEC
Next by thread: New ISAKMP+Oakley code!
Index(es):
- Main
- Thread