[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: don't-fragment-flag on ftp & icmp

To: cjgibson@semaphorecom.com (CJ Gibson)
Subject: Re: don't-fragment-flag on ftp & icmp
From: Dan McDonald <danmcd@Eng.Sun.Com>
Date: Tue, 16 Dec 1997 09:27:15 -0800 (PST)
Cc: ipsec@tis.com
In-Reply-To: <0171F2F8F9E5D011A4D10060B03CFB4491C8@scc-server3.semaphorecom.com> from "CJ Gibson" at Dec 16, 97 09:04:28 am
Sender: owner-ipsec@ex.tis.com

> My IPSec implementation sits on an Ethernet LAN which has a max PDU size
> of 1500. I've noticed that ftp builds IP packets at this max size and
> then sends them with the don't-fragment-flag set to 1. Encryption
> obviously adds bytes to the packet so how can I encrypt this without
> fragmenting it? Are we supposed to ignore the flag & fragment anyway?

Well, this depends a lot on your implementation.

It sounds like you have a "bump in the stack" implementation, where you
aren't otherwise tied into the IP implementation on your system.

A fix for the problem you have is to somehow convince your IP that its on a
differently-sized device, with a frame size of 1500 - sizeof (IPsec
overhead).

If I'm wrong about your implementation, and you are embedded with your IP
code, you should be making fragmentation decisions only AFTER you apply
IPsec.

Dan

References:

don't-fragment-flag on ftp & icmp

From: CJ Gibson <cjgibson@semaphorecom.com>

Prev by Date: don't-fragment-flag on ftp & icmp
Next by Date: Re: don't-fragment-flag on ftp & icmp
Prev by thread: don't-fragment-flag on ftp & icmp
Next by thread: Re: don't-fragment-flag on ftp & icmp
Index(es):
- Main
- Thread