[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: TO COMPRESS OR NOT TO CMPRS (please reply)
> Yes, but isn't that a Hard Problem (tm) unless you keep state (either
> "virtual interfaces" or individual packets) at the tunnel endpoints?
Well, given that you already need per-outbound-SA state (for the
session key and replay detection) this doesn't seem to be a major
burden. A per-outbound-SA MTU would seem to be the Right Answer..
> How else do you convert an ICMP Fragmentation Required message for a
> tunneled (and auth'd and 'crypted) packet back into an ICMP
> Fragmentation Required for the original, untunnelled packet?
well, one "cheat" occurs to me: don't send a "FR" when you receive a
FR; instead, just record the MTU and let the packet fall on the floor;
if it was important, the sender will retransmit it; when this happens,
and (assuming it's too large), generate a new "fragmentation required"
ICMP message. One drawback is that it takes two packets (instead of
one) for a new tunnel to learn the MTU..
- Bill
References: