Andrey V. Elsukov wrote: > On 17.01.2020 12:36, Victor Sudakov wrote: > > Back to the point. I've figured out that both encrypted (in transport > > mode) and unencrypted TCP segments have the same MSS=1460. Then I'm > > completely at a loss how the encrypted packets avoid being fragmented. > > TCP has no way to know in advance that encryption overhead will be > > added. > > For IPsec endpoints (i.e. when you encrypt own sessions) TCP for each > outgoing packet invokes IPSEC_HDRSIZE() method, that returns approximate > size required for IPsec, and using this information it calculates MSS.
I observe in Wireshark that the MSS is the same in encrypted and unencrypted segments. > I think this should work in this way. Obviouisly it is not working this way, if it were, I'd see different MSS values, but this is not the case. -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN 2:5005/49@fidonet http://vas.tomsk.ru/
signature.asc
Description: PGP signature