>Number:         25658
>Category:       kern
>Synopsis:       Default value of net.inet.ipsec.dfbit breaks PMTU over IPsec tunnels
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri May 21 15:47:00 UTC 2004
>Closed-Date:
>Last-Modified:
>Originator:     Steve Woodford
>Release:        NetBSD 2.0E
>Organization:
>Environment:
System: NetBSD oor-wullie.mctavish.co.uk 2.0E NetBSD 2.0E (WULLIE) #9: Fri May 21 10:02:40 BST 2004 steve@oor-wullie.mctavish.co.uk:/sys/arch/i386/compile/WULLIE i386
Architecture: i386
Machine: i386
>Description:
The default value of net.inet.ipsec.dfbit (zero) forces the DF bit to
be cleared for all packets destined for an IPsec tunnel. Since IPsec
encapsulation increases packet size, there's a very good chance they
will need to be fragmented to traverse the tunnel.

This breaks PMTU discovery, resulting in fragmentation which can
lead to very poor TCP performance if intermediate bridges/routers
drop packets (very likely on a WLAN, for example).
>How-To-Repeat:
Try to use IPsec to provide secure communication over a WLAN using an
access point which frequently drops packets when faced with a fragment
storm.

Notice TCP performance dropping from ~2.5MB/s without IPsec, to ~10KB/s
with IPsec enabled.
>Fix:
The default value for net.inet.ipsec.dfbit should be 2: Copy the DF bit.

This sysctl MIB should also be documented somewhere...
>Release-Note:
>Audit-Trail:
>Unformatted:
 Default value of net.inet.ipsec.dfbit breaks PMTU over IPsec tunnels