[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re[2]: don't-fragment-flag on ftp & icmp

To: <cjgibson@semaphorecom.com>, <ipsec@tis.com>, <alx@elnet.msk.ru>
Subject: Re[2]: don't-fragment-flag on ftp & icmp
From: owner-ipsec@ex.tis.com
Date: Wed, 17 Dec 97 11:14:44 -0600
Sender: owner-ipsec@ex.tis.com


     Howdy.  I'm new to IPSec list.
     
     If you reduce your MTU to make room for your VPN headers (ESP or AH), 
     you can still have a problem with fragmentation.  You still need to 
     add the headers before the fragmentation is done.
     
     Sun Solaris systems (at least 2.5 and up) do Path MTU discovery.  This 
     is done by sending maximum sized ICMP packets with the "don't 
     fragment" flag set.
     
     Once the Path MTU for the destination has been identified, all packets 
     sent to that destination will have the "don't fragment" flag set.  One 
     of the purposes of this is to detect if a network route has changed to 
     a network with a smaller MTU.
     
     I know SunOS 4.x systems do not do Path MTU discovery and, therefore, 
     do not set the "don't fragment" flag.
     
     Brian St. Denis
     bstdenis@paranet.com


______________________________ Reply Separator
_________________________________
Subject: Re: don't-fragment-flag on ftp & icmp 
Author:  "Alexei V. Vopilov" <alx@elnet.msk.ru>  at Internet-mail
Date:    12/16/97 10:48 PM


It would be correct if you reduce the MTU value 
with configuring LAN interfaces. You'll need to 
write your own network configuration script. 
That can be done as well from within the IPsec
kernel driver during network stream construction time.
     
If you fail with above, as a trick, you can drop
a big packet, generate 'Need Fragmented' ICMP message 
and sent it up to network stream.
Probably, you'll be able 'teach' upper software this way 
to reduce downstream packets size.
     
In turn, the SunOS TCP/IP software should not set DF 
bit by default, check /dev/ip variables setting
(or at least I've never observed such behavior.) 
regards,
---
Alexei V. Vopilov (alx@elnet.msk.ru),  +7(095)5367694 
Software Architecture&Development Consultant.
---
-----Original Message-----
From: CJ Gibson <cjgibson@semaphorecom.com> 
To: 'ipsec' <ipsec@tis.com>
Date: 16 декабdя 1997 a. 22:23
Subject: don't-fragment-flag on ftp & icmp
     
     
:I have a question about encryption:
:My IPSec implementation sits on an Ethernet LAN which has a max PDU size 
:of 1500. I've noticed that ftp builds IP packets at this max size and 
:then sends them with the don't-fragment-flag set to 1. Encryption 
:obviously adds bytes to the packet so how can I encrypt this without 
 :fragmenting it? Are we supposed to ignore the flag & fragment anyway? 
:And how about ICMP (ping on my Sun sets the don't-fragment-flag as 
:well)??
:What are the rest of you doing in this case?? 
:
:Thanx for your input..
: CJ
:

Follow-Ups:

Re: don't-fragment-flag on ftp & icmp

From: Jim Thompson <jim@smallworks.com>

Prev by Date: Re: parties ID handling under ISAKMP-OAKLEY
Next by Date: Re: Re[2]: don't-fragment-flag on ftp & icmp
Prev by thread: Re: don't-fragment-flag on ftp & icmp
Next by thread: Re: don't-fragment-flag on ftp & icmp
Index(es):
- Main
- Thread