Subject: Re: Default value of net.inet.ipsec.dfbit breaks PMTU over IPsec tunnels
To: Daniel Carosone <dan@geek.com.au>
From: Jason Thorpe <thorpej@wasabisystems.com>
List: tech-net
Date: 05/28/2004 15:35:16
--Apple-Mail-60-102334377
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=US-ASCII; format=flowed
On May 28, 2004, at 3:28 PM, Daniel Carosone wrote:
> I think it should keep a per-SA record of the MTU across the SA, and
> update that accordingly. Then NEEDS FRAG's get generated appropriately
> later when A/D send something too large for the new smaller tunnel.
Yah, that's basically that I concluded after writing that paragraph
originally :-)
Unfortunately, it requires the original sender to retransmit (since the
first ICMP message will be "lost"), but them's the breaks, I guess.
-- Jason R. Thorpe <thorpej@wasabisystems.com>
--Apple-Mail-60-102334377
content-type: application/pgp-signature; x-mac-type=70674453;
name=PGP.sig
content-description: This is a digitally signed message part
content-disposition: inline; filename=PGP.sig
content-transfer-encoding: 7bit
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (Darwin)
iD8DBQFAt76kOpVKkaBm8XkRAmIJAJ9q41KlS+37ibdIIyB/QH12ZNVEbgCfRKl1
YSzFlB2R4fYFcOCNH0CaYiM=
=2ACs
-----END PGP SIGNATURE-----
--Apple-Mail-60-102334377--