tech-net: Re: Default value of net.inet.ipsec.dfbit breaks PMTU over IPsec tunnels

Subject: Re: Default value of net.inet.ipsec.dfbit breaks PMTU over IPsec tunnels
To: Greg Troxel <gdt@ir.bbn.com>
From: Jason Thorpe <thorpej@wasabisystems.com>
List: tech-net
Date: 05/28/2004 08:04:36

--Apple-Mail-36-75294139
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=US-ASCII; format=flowed


On May 28, 2004, at 5:17 AM, Greg Troxel wrote:

> I was surprised to find that I had to turn net.inet.ipsec.dfbit
> on manually.  I was losing across an IPsec VPN, and setting dfbit to 1
> caused PMTU-D to work.

I was certainly surprised at the default.

> People that have problems with filtered ICMP can either set dfbit back
> to 0 and take the fragmentation performance hit, or probably PMTU
> blackhole detection on the client side should fine the IPsec-reduced
> MTU.

I agree 100%.

> It can be argued that mtudisc defaulting to on and dfbit set to 2
> should be linked.  My 1.6.2ish systems don't have mtudisc on by
> default, but my currentish ones do.

I don't think they should be linked, necessarily... the gateway doing 
the tunnel encap might not be the endpoint (of course, it might be, but 
there are also plenty of scenarios where it wouldn't be).

I definitely agree with your patch, i.e. change dfbit to "copy" by 
default.

>
> Index: sys/netipsec/ipsec.c
> --- ipsec.c.~1.1.1.2.~  2004-01-27 20:35:31.000000000 -0500
> +++ ipsec.c     2004-05-28 08:15:38.000000000 -0400
> @@ -110,7 +110,7 @@
>  /* NB: name changed so netstat doesn't use it */
>  struct newipsecstat newipsecstat;
>  int ip4_ah_offsetmask = 0;     /* maybe IP_DF? */
> -int ip4_ipsec_dfbit = 0;       /* DF bit on encap. 0: clear 1: set 2: 
> copy */
> +int ip4_ipsec_dfbit = 2;       /* DF bit on encap. 0: clear 1: set 2: 
> copy */
>  int ip4_esp_trans_deflev = IPSEC_LEVEL_USE;
>  int ip4_esp_net_deflev = IPSEC_LEVEL_USE;
>  int ip4_ah_trans_deflev = IPSEC_LEVEL_USE;
>
> -- 
>         Greg Troxel <gdt@ir.bbn.com>
>
         -- Jason R. Thorpe <thorpej@wasabisystems.com>


--Apple-Mail-36-75294139
content-type: application/pgp-signature; x-mac-type=70674453;
	name=PGP.sig
content-description: This is a digitally signed message part
content-disposition: inline; filename=PGP.sig
content-transfer-encoding: 7bit

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (Darwin)

iD8DBQFAt1UEOpVKkaBm8XkRAoFoAKCKnSyzq5kLDSNQSY2bs5xAIulVVACfWXw8
gcUlx7YZg6UU0jnLQsLR2DM=
=MnMq
-----END PGP SIGNATURE-----

--Apple-Mail-36-75294139--