On Wed, 2 Aug 2023, Michael Richardson wrote:
Christian Hopps <[email protected]> wrote:
>> The ingress node encrypts this packet and adds the IPsec
>> encapsulation, and this IPsec-processed packet is also larger than the
>> Link MTU. The ingress node fragments this IPsec-processed packet and
>> sends all the fragments to the egress node.
> This should not happen. The ingress node should first fragment the
> inner IP packet so that it fits in the tunnel (i.e., so that the ESP
> packets it creates do not violate it's own MTU).
You can't do that if DF=1, or IPv6.
You can form big ESP packets and then fragment them, even with IPv6.
DF=0 for IPv4 on ESP packets is good, until there is a firewall that cant
cope with fragments.
Why does any of this even matter? The applications should use PLPMTUD /
DPLPMTUD ?
Sprinkling bits to try to communicate with hops in between hasn't worked
for decades.
Or use IPTFS and set your own max packet size sufficiently low?
I'm not convinced doing this between IPsec peers will solve any real use
cases.
Paul
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
