tech-net: Re: Default value of net.inet.ipsec.dfbit breaks PMTU over IPsec

Subject: Re: Default value of net.inet.ipsec.dfbit breaks PMTU over IPsec
To: Jason Thorpe <thorpej@wasabisystems.com>
From: Michael Hertrick <m.hertrick@neovera.com>
List: tech-net
Date: 05/28/2004 16:30:25

Jason Thorpe wrote:

>
> On May 28, 2004, at 9:43 AM, Michael Hertrick wrote:
>
>> You're probably right for the sake of compatibility with non-PMTUD 
>> hosts, but if it is copied from the original then one is leaving the 
>> decision up to the untrustworthy end-user/system.
>
>
> Sure, but how is that different from a non-IPsec gateway?  We're 
> talking effectively about a router, here.  Non-IPsec gateways don't 
> arbitrarily set DF in packets.

If a router must fragment a packet in order to send it over an IPSec 
tunnel, does it not have to encrypt each fragment separately?  Is 
encryption more CPU intesnsive than fragmentation?  Would it be much 
easier for a host or hosts to use fragmentation to consume all available 
CPU on an IPSec gateway than on a non-IPSec gateway? 

~Mike.