23.12.2019 18:00, Andrey V. Elsukov wrote: > On 23.12.2019 13:55, Eugene Grosbein wrote: >>> I think the real problem is that PMTUD doesn't work correctly with >>> IPsec. Linux has special sysctl variabl ip_no_pmtu_disc and flag >>> SADB_SAFLAGS_NOPMTUDISC for SA that can disable PMTUD for IPv4 and IP_DF >>> flag will not be set. We can add some similar quirks, but it would be >>> better to fix PMTUD. We already have hundreds sysctl in our system and >>> remembering all them is a problem too. >> >> It's true that PMTUD does not work with IPSec transport mode. >> >> I think we could just clear DF bit off encapsulated transport mode packets >> unconditionally, >> please take a look at last chunk of sample patch in the PR 242744: >> https://bz-attachments.freebsd.org/attachment.cgi?id=210122 >> >> Sample patch creates another sysctl but we should do it unconditionally, >> don't we? > > As I said I didn't find that other OSes do this. Linux has enabled by > PMTUD by default, strongswan doesn't set SADB_SAFLAGS_NOPMTUDISC flag, > OpenBSD hasn't such quirk. Why should we add this instead of try to fix > PMTUD?
RFC 2401 Appendix B https://tools.ietf.org/html/rfc2401#page-1-48 states that packets generated by IPSec transport mode must be "fragmentable" over the path and this is incompatible with DF=1. _______________________________________________ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"