[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Question on TCP MSS with repsect to IPSEC
> You can only do so much to reduce TCP segment sizes to account for
> IPSEC headers. Especially since a very common (if not the single most
> important) case of tunnel mode assumes a TCP that knows nothing about
> IPSEC.
Pardon my cloddish opinion, but I think that's the EASY case. The
tunnel's far end will decapsulate and the receiver will find its MSS
has been respected.
> The best you can really hope for is Path MTU support on the sending
> TCP that will respond appropriately to ICMP messages from an IPSEC
> tunnel endpoint that knows what its next hop interface MTU is after
> being adjusted for IPSEC overhead.
I think we've all been presuming an implicit MIN(PMTU, MSS+10*ip->ip_v).
_________________________________________________________
Matt Crawford crawdad@fnal.gov Fermilab
PGP: D5 27 83 7A 25 25 7D FB 09 3C BA 33 71 C4 DA 6A