[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: don't-fragment-flag on ftp & icmp
It would be correct if you reduce the MTU value
with configuring LAN interfaces. You'll need to
write your own network configuration script.
That can be done as well from within the IPsec
kernel driver during network stream construction time.
If you fail with above, as a trick, you can drop
a big packet, generate 'Need Fragmented' ICMP message
and sent it up to network stream.
Probably, you'll be able 'teach' upper software this way
to reduce downstream packets size.
In turn, the SunOS TCP/IP software should not set DF
bit by default, check /dev/ip variables setting
(or at least I've never observed such behavior.)
regards,
---
Alexei V. Vopilov (alx@elnet.msk.ru), +7(095)5367694
Software Architecture&Development Consultant.
---
-----Original Message-----
From: CJ Gibson <cjgibson@semaphorecom.com>
To: 'ipsec' <ipsec@tis.com>
Date: 16 декабря 1997 г. 22:23
Subject: don't-fragment-flag on ftp & icmp
:I have a question about encryption:
:My IPSec implementation sits on an Ethernet LAN which has a max PDU size
:of 1500. I've noticed that ftp builds IP packets at this max size and
:then sends them with the don't-fragment-flag set to 1. Encryption
:obviously adds bytes to the packet so how can I encrypt this without
:fragmenting it? Are we supposed to ignore the flag & fragment anyway?
:And how about ICMP (ping on my Sun sets the don't-fragment-flag as
:well)??
:What are the rest of you doing in this case??
:
:Thanx for your input..
: CJ
: