[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: MSS option with IPSEC.




>If a TCP connection is using AH or ESP does the mss option sent
>during the SYN account for the AH/ESP headers also ?
>
>Assume the MTU of the link is 1500. Normally the mss (without
>any options) is 1460 (20 bytes of TCP and 20 bytes of IP
>header). If the connection uses AH/ESP does the sending
>side decrease the mss further ? Curious to know what
>the other implementation do out there. Currently i am assuming
>it decreases the mss further if AH/ESP is present.

	KAME (http://www.kame.net/) decreases mss value by AH/ESP header size.
	It is working well.

	I dunno what happens if security association is changed frequently
	during TCP is connected, if anyone has experiences please let me
	know...

itojun


Follow-Ups: References: