Subject: Re: more IPsec NAT-T problems
To: None <tech-net@netbsd.org>
From: Miles Nordin <carton@Ivy.NET>
List: tech-net
Date: 11/27/2004 15:41:34
--pgp-sign-Multipart_Sat_Nov_27_15:41:25_2004-1
Content-Type: text/plain; charset=US-ASCII

>>>>> "ed" == Emmanuel Dreyfus <manu@netbsd.org> writes:

    ed> UDP_ENCAP_ESPINUDP_MAXFRAGLEN is defined as 552: the maximum
    ed> length of a DNS request.

you are saying all NAT-T traffic will have an effective MTU of 552?
Wouldn't it be better to do proper PMTU-D for tunnels:

http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper09186a00800d6979.shtml#t9

According to this, on Cisco IPsec always does PMTU-D for tunnel and
transport mode, and GRE will do PMTU-D iff you set 'tunnel
path-mtu-discovery'.

I think we have to go as far as they do to DTRT, but I guess that is
probably far too big a project for what you want.

Also, if your broken home-Internet-splitter doesn't honor DF bit for
UDP packets, it won't help.  Does it?

-- 
The auditing that is conducted on slot machine software in the U.S. is
significantly more meticulous than what is done to voting software.
		-- Bruce Schneier

--pgp-sign-Multipart_Sat_Nov_27_15:41:25_2004-1
Content-Type: application/pgp-signature
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (NetBSD)

iQCVAwUAQajmfonCBbTaW/4dAQL2EQP/WXvBHPL2/vW+k0LyYm9IbMHS6y+OVM+8
HQrFB7ah1qQY7DU5eawPc4sji+A8QOMylK54YTLXk1cNZYsWrDEOSRw+HESEAFfR
DliVvOiiHJEi6xTfegpow9QZaqMUmeQ6Mm+ox7Eil46ZOdnTNZ4Cz64os00B/LiK
Wigu4iCaHJY=
=RovK
-----END PGP SIGNATURE-----

--pgp-sign-Multipart_Sat_Nov_27_15:41:25_2004-1--