Re: IPSEC transport mode w/2.2.x kernels and large packets

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Rik van Riel: "Re: no driver change for 2.4?"
• Previous message: Richard Guy Briggs: "Re: IPSEC transport mode w/2.2.x kernels and large packets"
• In reply to: Alan Cox: "Re: IPSEC transport mode w/2.2.x kernels and large packets"
• Next in thread: kuznet@ms2.inr.ac.ru: "Re: IPSEC transport mode w/2.2.x kernels and large packets"

Alan Cox said:
> > > Alan Cox suggested setting the MTU to the maximum allowed:0xfff0, then
> > > fragmenting after encryption to the MTU of the physical device.
> >
> > So when one fragment gets dropped the whole packet is lost ? This is the
> > "NFS trap" and works badly over WANs, because you would disturb path
> > MTU discovery. It is important that packets with DF get a icmp error
> > when they exceed the effective size of the tunnel.
>
> What I suggested is a bit cleverer than that
>
> Set the MTU to 64K
> Set the MSS on the routers to the estimated path mtu

Mea culpa! I forgot to mention this other clever half. Please excuse
the omission.

> Now TCP generates frames the right size for optimal performance, everything
> else hands down full datagrams and the world is a happier place.
>
> You can't run path MTU discovery with IPsec. The DF could be faked and aimed
> at dropping your link to unusably low speeds. Ignoring the DF could equally
> be a complete link failure. So you don't run mtu discovery.

Right, IPSECed packets should arguably never have DF set. From the
RFCs, IIRC, this is configurable.

The gateways can, however, tell the hosts behind the gateways that the
tunnel is slightly smaller, to improve performance, which is what we
are trying to do.

I am still fiddling with bits and pieces to try to figure out where to
set the mss without affecting the MTU of that device or that route?
Can you be very specific about which members of which structures do
this? I assumed that skb->dst->pmtu was one, but I am not certain.
Are they actually named 'mss'?

slainte mhath, RGB
- --
The first Ottawa Linux Symposium was a huge success! <ottawalinuxsymposium.org>
This SunRayce was a wet one! DroughtRelief_99? -- <www.sunrayce.com/sunrayce/>
Richard Guy Briggs -- PGP key available Auto-Free Ottawa! Canada
<http://www.conscoop.ottawa.on.ca/rgb/> </www.flora.org/afo/>
Prevent Internet Wiretapping! -- FreeS/WAN:<www.xs4all.nl/~freeswan>
Thanks for voting Green! -- <green.ca> Marillion:<www.marillion.co.uk>

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv

iQCVAwUBN6xZyt+sBuIhFagtAQH4vQQAskr7q4k1Nwdo6rtaZrNkdrIg53RXEB+L
5jGBIUpGAbi6aW5UoZWLszofOgqba3IEr/mnN0jBxYbsjhJaj58uTMazwq56GrOJ
QWw59Bk86uRCZKzQvgEECoGtfAXcdYZJ/g1cXK3JCcyAW5FqQvnJoH8TNAviPrM/
LxYPeibcrPk=
=Ppcv
-----END PGP SIGNATURE-----

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/

• Next message: Rik van Riel: "Re: no driver change for 2.4?"
• Previous message: Richard Guy Briggs: "Re: IPSEC transport mode w/2.2.x kernels and large packets"
• In reply to: Alan Cox: "Re: IPSEC transport mode w/2.2.x kernels and large packets"
• Next in thread: kuznet@ms2.inr.ac.ru: "Re: IPSEC transport mode w/2.2.x kernels and large packets"