[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: DF / PMTU Question

To: fletcher@cylink.com, ipsec@lists.tislabs.com
Subject: Re: DF / PMTU Question
From: David Borman <dab@bsdi.com>
Date: Thu, 5 Aug 1999 09:13:25 -0500 (CDT)
Sender: owner-ipsec@lists.tislabs.com

> Date: Wed, 04 Aug 1999 17:29:51 -0700
> From: fletcher@cylink.com (Fergus Fletcher)
> Subject: DF / PMTU Question
> ...
> Hello all,
>
> I'm unclear as to the required/desired handling by a security
> gateway of:
>
>   1. the DF (DONT-FRAGMENT) flag, and its interaction with 
>   2. the PMTU stored for SAs in the SAD
>...
> 2. According to RFC-2401 when an SGW receives an ICMP error 
>    message "Fragmentation needed and DF set", but it cannot 
>    determine the originating host, it should store the PMTU
>    (reduced by any IPsec overhead) with the SA.
>
>    When subsequent packets are received on this SA and they 
>    exceed the PMTU stored for the SA, the packet should be 
>    dropped and an ICMP message "Fragmentation needed and DF 
>    set" should then be returned to the sending host. 
>
>    Since RFC-2401 makes no mention of consulting DF, I assume 
>    this should be done regardless of the value of DF.

That is not a good assumption.  RFC-2401 deals with both IPv4
and IPv6.  IPv6 does not have a DF bit, it is just assumed.  For
IPv4, if the incoming packet does not have the DF bit set, it
should be fragmented and sent along its way.  Failure to do so
can break lots of things (like anything that isn't TCP...).

You do *not* want to generate an "ICMP fragmentation needed and
DF set" message unless you know that the host will understand
it properly, and the only way you know that is by the presence
of the DF bit.
			-David Borman, dab@bsdi.com

Prev by Date: RE: Retransmits in traffic count?
Next by Date: Re: PKIX vs draft-ietf-ipsec-pki-req-02.txt
Prev by thread: DF / PMTU Question
Next by thread: Re: Proposed Charter
Index(es):
- Main
- Thread