Subject: Re: Default value of net.inet.ipsec.dfbit breaks PMTU over IPsec tunnels
To: Michael Hertrick <m.hertrick@neovera.com>
From: Thor Lancelot Simon <tls@rek.tjls.com>
List: tech-net
Date: 05/28/2004 16:56:59
On Fri, May 28, 2004 at 04:30:25PM -0400, Michael Hertrick wrote:
> 
> If a router must fragment a packet in order to send it over an IPSec 
> tunnel, does it not have to encrypt each fragment separately?  Is 
> encryption more CPU intesnsive than fragmentation?  Would it be much 
> easier for a host or hosts to use fragmentation to consume all available 
> CPU on an IPSec gateway than on a non-IPSec gateway? 

If the router simply does what routers are required to do, and drops
packets marked with DF that it would otherwise fragment, this will simply
not happen.  Path MTU discovery (which must be implemented on any host
sending packets with DF set) will discover the smaller MTU of the IPsec-
encapsulated path, and everything will work perfectly fine.

On the other hand, clearing DF and then passing the packets along *will
cause exactly the problem you're positing*.  That's one reason it's
wrong.

-- 
 Thor Lancelot Simon	                                      tls@rek.tjls.com
   But as he knew no bad language, he had called him all the names of common
 objects that he could think of, and had screamed: "You lamp!  You towel!  You
 plate!" and so on.              --Sigmund Freud