tech-net: Re: Default value of net.inet.ipsec.dfbit breaks PMTU over IPsec tunnels

Subject: Re: Default value of net.inet.ipsec.dfbit breaks PMTU over IPsec tunnels
To: Daniel Carosone <dan@geek.com.au>
From: Jason Thorpe <thorpej@wasabisystems.com>
List: tech-net
Date: 05/28/2004 15:35:16

--Apple-Mail-60-102334377
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=US-ASCII; format=flowed


On May 28, 2004, at 3:28 PM, Daniel Carosone wrote:

> I think it should keep a per-SA record of the MTU across the SA, and
> update that accordingly. Then NEEDS FRAG's get generated appropriately
> later when A/D send something too large for the new smaller tunnel.

Yah, that's basically that I concluded after writing that paragraph 
originally :-)

Unfortunately, it requires the original sender to retransmit (since the 
first ICMP message will be "lost"), but them's the breaks, I guess.

         -- Jason R. Thorpe <thorpej@wasabisystems.com>


--Apple-Mail-60-102334377
content-type: application/pgp-signature; x-mac-type=70674453;
	name=PGP.sig
content-description: This is a digitally signed message part
content-disposition: inline; filename=PGP.sig
content-transfer-encoding: 7bit

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (Darwin)

iD8DBQFAt76kOpVKkaBm8XkRAmIJAJ9q41KlS+37ibdIIyB/QH12ZNVEbgCfRKl1
YSzFlB2R4fYFcOCNH0CaYiM=
=2ACs
-----END PGP SIGNATURE-----

--Apple-Mail-60-102334377--