-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "Steve" == Steve Woodford <scw@NetBSD.org> writes:
    Steve> See PR kern/25658.

    Steve> Before submitting the above PR, I consulted google on the
    Steve> merits of the default behaviour of always clearing the DF bit
    Steve> when encapsulating IPv4 in an IPsec tunnel (resulting in PMTU
    Steve> discovery lossage).

  Because otherwise, a lot of things break.

    Steve> There seems to be some wisdom that the default is "safer" in
    Steve> that an unfriendly router between two tunnel endpoints could
    Steve> return "ICMP need frag" and so reduce the PMTU to some
    Steve> unreasonable value. (Since the ICMP is returned out of band
    Steve> with respect to the tunnel).

  No, that's not the problem.
  ICMP need frag's go missing. The result is that traffic stops.

  Please see draft-richardson-ipsec-fragment-00.txt, which the pmtud WG
has not yet adopted as a BCP, but has talked about.

- --
]     "Elmo went to the wrong fundraiser" - The Simpson         |  firewalls  [
]   Michael Richardson,    Xelerance Corporation, Ottawa, ON    |net architect[
] mcr@xelerance.com      http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBQK49SoqHRg3pndX9AQHGiQQA493pVLJC3k6H0OyTgHjRDcXkPfDqLP6G
yFCKe623DhsxhKdJu4ZLw7FarymtnvOUs5o2rZAKQF6U/AKfBedWj4a1C4/EVDQE
N4idpMlA4s1vaaHp7jSgI1ynQN+QMivB6TB0xj7rmmbrEtt3sbki19Wgfjnhoy+l
MZEoYrB5+GE=
=wCbT
-----END PGP SIGNATURE-----