Subject: Re: packet loss? w/ 1.6[A-D] & IPSEC policy
To: Tom Spindler <>
From: Arto Selonen <>
List: current-users
Date: 07/20/2002 16:30:25

Yes, this could well be related to the ep driver issues discussed earlier.
Especially so, since it seems that with ipsec policies on I get normal
performance when transferring stuff from client to server (so the
ep0@server end is just sending acks), but bad/no performance when ep0
needs to send a lot of stuff.

Without the ipsec stuff the ep0 is sending packets nicely fitted to the
PMTU (1500) without any problems. I tried by sending a 45M text file
over it (server->client); constant flow of packets in the ~1450 byte
range. So, it is not just the ep driver: it needs ipsec to do something
to the packets. (And this is where my knowledge of the involved issues
starts to fade).

If ipsec causes the "original" packets to grow too much in size, then
there becomes problems. If the ESP/AH packet is over MSS/MTU size then
I guess it should be fragmented, but I don't know if ESP/AH are allowed
to be fragmented (at least I see the DF bit on for them). If ipsec
packets can not be fragmented, then should they not be created to fit
the PMTU? If they can be fragmented, then why not send them fragmented
and and as small as the clear text packets would be sent? (I really
don't know how these are handled).

I tried with varying html file sizes to see where things break. It turns
out that when the http reply size (as returned by
'lynx -mime_header | wc') grows over 1390 bytes
in size, then things break. In my case this meant that test.html was
properly transmitted (using the telnet 80) as long as it
was 1142 bytes or less in size.

What I'm wondering is: what is growing to be too big and why, when
ipsec is used? And a natural followup: how can I control it?

On Sat, 20 Jul 2002, Tom Spindler wrote:

> > It would seem that as soon as I turn IPSEC policy on for the
> > client/server pair, I start loosing packets (from the server end).
> > Why did it surface after (client?) upgrade to 1.6A (and beyond)? Have I
> > overlooked a required change somewhere along the way?
> [elided]
> > This is what the ep0 interface looks like on server (modified MAC,inet,inet6):
> > -------------------------------------------------------------------

> There's been a lot of discussion as to whether the ep0 driver is just
> really awful or hasn't enough buffer space, but the same things seem
> to happen in 10Mb media in general - not just ep.

#######======------  --------========########
Everstinkuja 5 B 35                               Don't mind doing it.
FIN-02600 Espoo         Don't mind not doing it.
Finland              tel +358 50 560 4826     Don't know anything about it.