[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
PMTU Discovery on Security Gateway
I'd like to clarify the usage of PMTU value found through the PMTU
dsicovery process on the security gateway.
Ideally, the PMTU should be used to fragment the original datagram
before encapsulating instead of after encapsulating on the gateway.
Because, fragmenting the encapulated datagram will require the
decapsulator gateway to reassebmle the packet before forwarding it
on while fragmenting the original datagram will result the ressembly
to be done on the destination host and therefore speed up routing
performance. (In fact, this is what gateway will do for IpInIp
or greIp tunnelling, RFC 2003).
However, for IPSec gateway, since tunnel mode AH/ESP processing must be
applied to a whole IP datagram(not fragments of an original datagram
because not all fragments will contain all 5 selectors required by
IPSec),
even if we know that the datagram exceeds the size of the discovered
PMTU,
we still cannot fragment it until IP tunnel header encapsulation is
done.
In another words, if fragmentation is required, it will always be
applied
to encapsulted packet, and whether the packet is fragmented on the
security gateway or on some intermediate routers in between the security
gateways
does not make any difference. Even if the security gateway does not do
path MTU discovery and just sends the packet out using the interface
MTU,
the middle router who has a smaller mtu than the packet size will still
fragment the enapsulated packet which will result in the same effect as
if
the packet is fragmented on the security gateway.
It seems to me that the security gateway itself doesn't really take
advantage of the PMTU like IP tunnelling gateway, and the only advantage
of security gateway doing PMTU discovery is that it can propagate the
PMTU
to the original host to generate smaller packets in first place.
However,
if this is the only advantage, why not just have the host do Path MTU
discovery?
Regards,
Lor Zhou.