Subject: Re: Default value of net.inet.ipsec.dfbit breaks PMTU over IPsec tunnels
To: Michael Richardson <mcr@sandelman.ottawa.on.ca>
From: Jason Thorpe <thorpej@wasabisystems.com>
List: tech-net
Date: 05/27/2004 17:38:53
--Apple-Mail-27-23350976
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=US-ASCII; format=flowed


On May 21, 2004, at 10:32 AM, Michael Richardson wrote:

>   No, that's not the problem.
>   ICMP need frag's go missing. The result is that traffic stops.

Actually, in the cast Steve was talking about, the NEED FRAG would not 
go missing, because it's the IPsec gateway itself that is reducing the 
path MTU, and needs to notify one side or the other.

But the code path doesn't currently do that because DF is forcibly 
cleared.

So, either DF handling needs to be un-broken, or we need to 
special-case "forward to IPsec tunnel".

         -- Jason R. Thorpe <thorpej@wasabisystems.com>


--Apple-Mail-27-23350976
content-type: application/pgp-signature; x-mac-type=70674453;
	name=PGP.sig
content-description: This is a digitally signed message part
content-disposition: inline; filename=PGP.sig
content-transfer-encoding: 7bit

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (Darwin)

iD8DBQFAtoodOpVKkaBm8XkRAtNaAJwJ5trnubtKhRFB4qqHT5BFyhQrwwCaAnFl
36GDfDwc6adxvO4I6VuTSic=
=fk7K
-----END PGP SIGNATURE-----

--Apple-Mail-27-23350976--