[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
encapsulation PMTU-friendly proposal
-----BEGIN PGP SIGNED MESSAGE-----
draft-richardson-ipsec-fragment-00.txt, at an ID mirror near you soon.
2. Heuristic
Summary: If the system is keeping per flow state, preferentially
error packets that suddenly reach a new high-water mark for each
particular flow, because they arelikely to be probes, or classic
PMTUD.
For systems that have per-flow [Host to Host] (Ed. per-microflow -
5-tuple?) tracking, step 1 is included. Otherwise, it is skipped.
2.1 Step 0 - selection
Is the datagram is too big for the tunnel, and has the DF bit set? If
not, encapsulate as normal.
2.2 Step 1 - tracking
Keep track of the largest datagram size received. When there is a
new high water mark, do standard ICMP Need Fragment processing. If
this is the first time the datagram was too big, then goto step 4.
If not, then drop datagram.
2.3 Step 2 - size check
Is the amount that the packet is too big exactly due to the tunnel
overhead? (In particular, this would never apply when the media on
both sides is dissimilar). If not, do standard ICMP processing, and
drop the datagram.
2.4 Step 3 - error throttling
Does error rate limiting permit an ICMP error message be sent at this
time? (rate limited to about 1 packet per second) If so, then do
standard ICMP Need Fragment processing, and drop the datagram.
2.5 Step 4 - send
Fragment the datagram prior to encapsulation. Divide the datagram
into two equal pieces and encapsulate each one seperately. No
attempt to send an ICMP is made.
3. Example
A 1500 packet to which a 20 byte IP and 28 byte ESP header is added,
trying to fit on a 1500 byte network is fragmented anyway.
A 9000 byte packet with a 20 byte IP and 28 byte ESP header trying to
fit on a 1500 byte network is dropped.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys
iQCVAwUBP7U3b4qHRg3pndX9AQG/gwQArcPtj1VbBHx0HcVXtqh3RsbmHnBKTjwu
mpoyW+EjOlZkFUGLsX/U67nOF9H3sVSVODGJXXyqortCEgtCEMUVrynrGA7XL3Qc
Fp7XtcMH6yZBajy3t+0SE7EJE0B1CSKiXn9zVquT30qd5MePZnPvh4+MWtcsRyRE
BXjDC5Hv1JA=
=Tivw
-----END PGP SIGNATURE-----