On 2010-11-08, Claudio Jeker <cje...@diehard.n-r-g.com> wrote: > On Mon, Nov 08, 2010 at 12:31:51AM +0100, Vladimir Ostrovskiy wrote: >> Hi, >> >> 1. as far as my knowledge goes pure mpls packet should not be fragmented > > Right, there is no way to fragment a MPLS packet on ethernet, since L2 > does not implement such a thing. But gif(4) is L3 and therefor the traffic > over gif can be fragmented. > >> 2. i am unuware of IPSec encap of MPLS, maybe in GRE first? >> but once such encap is done there is DF bit set. > > You can encap the IP packet, since IPSec always comes with an IP header. > >> 3. maybe it will be easier to put additional routers on both endpoints >> with interfaces set with an IP MTU, small enough? >> > > I don't think this is needed. > > In short, gif(4) will fragment packets just fine (actually it is the > normal IP fragmenting in ip_output()). So in theory you could forward > jumbo frames over a link with less then 1500 bytes by using a big MTU > gif(4) on a bridge. This works just fine as long as there is only very > little packet loss. There are a few people that use vether(4) + bridge(4) > + gif/ipsec to build L2 tunnels with full MTU, it works astoundingly well.
I know of one situation where an additional router might be needed: if you try ethernet -> vether/bridge/gif -> pppoe, the ethernet-connected side also needs to have MTU 1492. Since this affects non-tunnelled traffic too, sometimes it's not acceptable on the main router, so you'd need an extra one. (There is the option of 'route add $endpoint $gateway -mtu 1492' but obviously this only helps if static routing is ok).