Re: IPSEC transport mode w/2.2.x kernels and large packets

Alan Cox (alan@lxorguk.ukuu.org.uk)
Sat, 7 Aug 1999 19:08:33 +0100 (BST)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Linus Torvalds: "Re: fyi: pre2.3.13-7,8 boot failures"
Previous message: Robert de Vries: "Re: [NEW PATCH] timers, sysctl, signal (only to get POSIX timers and clocks)"

> > Right, IPSECed packets should arguably never have DF set. From the
> > RFCs, IIRC, this is configurable.
>
> They should. Writing a protocol in the 90ies which does not support
> path mtu discovery is a very bad idea. Fragmented packets mean that

They thought about this, but there are some very very inconvient problems
with ripping every internet router out and enforcing mandatory IP-AH on
all routers with key exchanges and webs of trust.

Sometimes mathematics forces bad over "not possible"

> If you want to support IPv6 you'll need that anyways. DF is the default
> there and cannot be turned off.

IPv6 has a much higher minimum MTU, the issue basically doesnt arise as the
attacks dont work.

> Just set the MTU of the device correct. Then it'll happen for you.

Pity everything else then breaks

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/

Next message: Linus Torvalds: "Re: fyi: pre2.3.13-7,8 boot failures"
Previous message: Robert de Vries: "Re: [NEW PATCH] timers, sysctl, signal (only to get POSIX timers and clocks)"