[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Re[2]: don't-fragment-flag on ftp & icmp

To: <brian_st.denis@csg.stercomm.com>, <cjgibson@semaphorecom.com>, <ipsec@tis.com>
Subject: Re: Re[2]: don't-fragment-flag on ftp & icmp
From: "Alexei V. Vopilov" <alx@elnet.msk.ru>
Date: Wed, 17 Dec 1997 21:33:11 +0300
Sender: owner-ipsec@ex.tis.com

-------------Brian St. Denis wrote:

>     . . .
>     If you reduce your MTU to make room for your VPN headers (ESP or AH),
>     you can still have a problem with fragmentation.  You still need to
>     add the headers before the fragmentation is done.

Adding ESP/AH headers still can be done after fragmenttion, but you
will have to stick to tunell mode (you cannot do the transport one!).

>     . . .
>     Once the Path MTU for the destination has been identified, all packets
>     sent to that destination will have the "don't fragment" flag set.  One
>     of the purposes of this is to detect if a network route has changed to
>     a network with a smaller MTU.
>
>. . .

--Alexei
______________________________ Reply Separator _________________________________
Subject: Re: don't-fragment-flag on ftp & icmp
Author:  "Alexei V. Vopilov" <alx@elnet.msk.ru>  at Internet-mail
Date:    12/16/97 10:48 PM

It would be correct if you reduce the MTU value
with configuring LAN interfaces. You'll need to
write your own network configuration script.
That can be done as well from within the IPsec
kernel driver during network stream construction time.

If you fail with above, as a trick, you can drop
a big packet, generate 'Need Fragmented' ICMP message
and sent it up to network stream.
Probably, you'll be able 'teach' upper software this way
to reduce downstream packets size.

In turn, the SunOS TCP/IP software should not set DF
bit by default, check /dev/ip variables setting
(or at least I've never observed such behavior.)
regards,
---
Alexei V. Vopilov (alx@elnet.msk.ru),  +7(095)5367694
Software Architecture&Development Consultant.
---
-----Original Message-----
From: CJ Gibson <cjgibson@semaphorecom.com>
To: 'ipsec' <ipsec@tis.com>
Date: 16 декабdя 1997 a. 22:23
Subject: don't-fragment-flag on ftp & icmp

:I have a question about encryption:
:My IPSec implementation sits on an Ethernet LAN which has a max PDU size
:of 1500. I've noticed that ftp builds IP packets at this max size and
:then sends them with the don't-fragment-flag set to 1. Encryption
:obviously adds bytes to the packet so how can I encrypt this without
:fragmenting it? Are we supposed to ignore the flag & fragment anyway?
:And how about ICMP (ping on my Sun sets the don't-fragment-flag as
:well)??
:What are the rest of you doing in this case??
:
:Thanx for your input..
: CJ
:

Prev by Date: Re[2]: don't-fragment-flag on ftp & icmp
Next by Date: IPSEC in non-IP networks?
Prev by thread: Re: parties ID handling under ISAKMP-OAKLEY
Next by thread: IPSEC in non-IP networks?
Index(es):
- Main
- Thread