[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

DF / PMTU Question

To: ipsec@lists.tislabs.com
Subject: DF / PMTU Question
From: fletcher@cylink.com (Fergus Fletcher)
Date: Wed, 04 Aug 1999 17:29:51 -0700
Cc: fletcher@cylink.com
Sender: owner-ipsec@lists.tislabs.com

Hello all,

I'm unclear as to the required/desired handling by a security
gateway of:

  1. the DF (DONT-FRAGMENT) flag, and its interaction with 
  2. the PMTU stored for SAs in the SAD

(Studying RFC-2401 and searching through the IPSEC-list
archive, has not helped). 


1. According to RFC-2401 when a SGW tunnels a packet,
   it uses local policy to decide the DF value to use 
   in the outer header:
     (a) copy DF bit from inner packet
     (b) set DF bit
     (c) clear DF bit

   In line with how a router handles traffic, when the 
   outer DF value = set, the packet should be dropped
   if the tunneled packet exceeded the MTU of the next
   hop. An ICMP message "Fragmentation needed and DF set"
   should then be returned to the sending host.

   When Outer DF value = clear , the packet should be 
   fragmented if the tunneled packet exceeded the MTU 
   of the next hop. 


2. According to RFC-2401 when an SGW receives an ICMP error 
   message "Fragmentation needed and DF set", but it cannot 
   determine the originating host, it should store the PMTU
   (reduced by any IPsec overhead) with the SA.

   When subsequent packets are received on this SA and they 
   exceed the PMTU stored for the SA, the packet should be 
   dropped and an ICMP message "Fragmentation needed and DF 
   set" should then be returned to the sending host. 

   Since RFC-2401 makes no mention of consulting DF, I assume 
   this should be done regardless of the value of DF.

   After some local configurable time, the PMTU value stored 
   with the SA should be aged and replaced with the interface 
   MTU.



There is a conflict between the behavior 1 and 2 described 
above. 
 e.g. Suppose a packet which has DF clear in its outer 
      header exceeds the interface MTU / SA PMTU.

      Should the packet be fragmented, or dropped and an
      ICMP error generated ?


Should this be a configurable local policy ? 

I would appreciate any comments.

Thanks, 

Fergus Fletcher

-- Tel. : (408) 328-5445   E-mail: fletcher@cylink.com
-- Fax. : (408) 735-6645      
-- Cylink Corporation,           
-- 910 Hermosa Court ,     Sunnyvale, CA 94086

Prev by Date: Re: Retransmits in traffic count?
Next by Date: RE: Retransmits in traffic count?
Prev by thread: When was last bakeoff - next bakeoff?
Next by thread: Re: DF / PMTU Question
Index(es):
- Main
- Thread