[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Question on TCP MSS with repsect to IPSEC

To: naganand@ftp.com
Subject: Re: Question on TCP MSS with repsect to IPSEC
From: Phil Karn <karn@unix.ka9q.ampr.org>
Date: Fri, 2 Aug 1996 15:21:19 -0700 (PDT)
Cc: adams@tgv.com, ipsec@TIS.COM
In-Reply-To: <2.2.32.19960801131747.009ac5f4@mailserv-H.ftp.com> (message fromNaganand Doraswamy on Thu, 01 Aug 1996 09:17:47 -0400)
Reply-To: karn@qualcomm.com
Sender: ipsec-approval@neptune.tis.com

>Doesnt the ICMP message indicate the datagram size (IP Header + data) that
>it can send? This being the case, the router or tunnel end point may not
>take into account the overhead of IPSEC, correct?

Well, that's how Path MTU discovery works -- it relies on the MTU
fields in the ICMP messages that bounce back when a packet is too
large to fit and the don't-fragment bit is set. When an IPSEC gateway
generates such an ICMP message for a destination on the other end
of a tunnel, this field should indeed be adjusted to compensate for
the IPSEC overhead. That should cause the original sender to adjust
its MSS appropriately, just as it would if IPSEC weren't in use.

Phil

References:

Re: Question on TCP MSS with repsect to IPSEC

From: Naganand Doraswamy <naganand@ftp.com>

Prev by Date: Re: DNSSEC for IPSEC? -- or, how to exploit DNSSEC
Next by Date: I-D ACTION:draft-ietf-ipsec-skip-udh-01.txt
Prev by thread: Re: Question on TCP MSS with repsect to IPSEC
Next by thread: Re: Question on TCP MSS with repsect to IPSEC
Index(es):
- Main
- Thread