tech-net: Re: Default value of net.inet.ipsec.dfbit breaks PMTU over IPsec tunnels

Subject: Re: Default value of net.inet.ipsec.dfbit breaks PMTU over IPsec tunnels
To: Michael Hertrick <m.hertrick@neovera.com>
From: Jason Thorpe <thorpej@wasabisystems.com>
List: tech-net
Date: 05/28/2004 11:43:22

--Apple-Mail-41-88420415
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=US-ASCII; format=flowed


On May 28, 2004, at 9:43 AM, Michael Hertrick wrote:

> You're probably right for the sake of compatibility with non-PMTUD 
> hosts, but if it is copied from the original then one is leaving the 
> decision up to the untrustworthy end-user/system.

Sure, but how is that different from a non-IPsec gateway?  We're 
talking effectively about a router, here.  Non-IPsec gateways don't 
arbitrarily set DF in packets.

> What do you think about a default setting of '3'?  '3' being "Drop all 
> packets until the administrator sets the value to 0, 1, or 2."

Heh, I think that's just plain anti-social :-)  Besides, even in the 
current situation, you need to change the setting to get the behavior 
that you happen to want, so... :-)

         -- Jason R. Thorpe <thorpej@wasabisystems.com>


--Apple-Mail-41-88420415
content-type: application/pgp-signature; x-mac-type=70674453;
	name=PGP.sig
content-description: This is a digitally signed message part
content-disposition: inline; filename=PGP.sig
content-transfer-encoding: 7bit

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (Darwin)

iD8DBQFAt4hOOpVKkaBm8XkRAmipAJ9ZkxfV33GrHTQXfHmXEa20zVTxRQCggR4b
MVfHjDGFz3z38aRpJQo7ItU=
=ax0J
-----END PGP SIGNATURE-----

--Apple-Mail-41-88420415--