[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re[2]: don't-fragment-flag on ftp & icmp
Howdy. I'm new to IPSec list.
If you reduce your MTU to make room for your VPN headers (ESP or AH),
you can still have a problem with fragmentation. You still need to
add the headers before the fragmentation is done.
Sun Solaris systems (at least 2.5 and up) do Path MTU discovery. This
is done by sending maximum sized ICMP packets with the "don't
fragment" flag set.
Once the Path MTU for the destination has been identified, all packets
sent to that destination will have the "don't fragment" flag set. One
of the purposes of this is to detect if a network route has changed to
a network with a smaller MTU.
I know SunOS 4.x systems do not do Path MTU discovery and, therefore,
do not set the "don't fragment" flag.
Brian St. Denis
bstdenis@paranet.com
______________________________ Reply Separator
_________________________________
Subject: Re: don't-fragment-flag on ftp & icmp
Author: "Alexei V. Vopilov" <alx@elnet.msk.ru> at Internet-mail
Date: 12/16/97 10:48 PM
It would be correct if you reduce the MTU value
with configuring LAN interfaces. You'll need to
write your own network configuration script.
That can be done as well from within the IPsec
kernel driver during network stream construction time.
If you fail with above, as a trick, you can drop
a big packet, generate 'Need Fragmented' ICMP message
and sent it up to network stream.
Probably, you'll be able 'teach' upper software this way
to reduce downstream packets size.
In turn, the SunOS TCP/IP software should not set DF
bit by default, check /dev/ip variables setting
(or at least I've never observed such behavior.)
regards,
---
Alexei V. Vopilov (alx@elnet.msk.ru), +7(095)5367694
Software Architecture&Development Consultant.
---
-----Original Message-----
From: CJ Gibson <cjgibson@semaphorecom.com>
To: 'ipsec' <ipsec@tis.com>
Date: 16 декабdя 1997 a. 22:23
Subject: don't-fragment-flag on ftp & icmp
:I have a question about encryption:
:My IPSec implementation sits on an Ethernet LAN which has a max PDU size
:of 1500. I've noticed that ftp builds IP packets at this max size and
:then sends them with the don't-fragment-flag set to 1. Encryption
:obviously adds bytes to the packet so how can I encrypt this without
:fragmenting it? Are we supposed to ignore the flag & fragment anyway?
:And how about ICMP (ping on my Sun sets the don't-fragment-flag as
:well)??
:What are the rest of you doing in this case??
:
:Thanx for your input..
: CJ
:
Follow-Ups: