Re: ipsec tunnels & packet length issues

From: Company 2210 (company2210_at_hotmail.com)
Date: 10/29/03

Next message: Nucleo de Pesquisa e Desenvolvimento: "IPSEC in tunnel mode ( possible? )"

Previous message: Eric Masson: "Re: ipsec tunnels & packet length issues"
In reply to: Helge Oldach: "Re: ipsec tunnels & packet length issues"
Next in thread: Lars Eggert: "Re: ipsec tunnels & packet length issues"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

To: <freebsd-net@freebsd.org>
Date: Wed, 29 Oct 2003 16:22:29 -0000

So, what would be a suitable MTU value for an ESP encrypted packet using
Blowfish?

Thanks

----- Original Message -----
From: "Helge Oldach" <helge.oldach@atosorigin.com>
To: "Eric Masson" <e-masson@kisoft-services.com>
Cc: <freebsd-net@freebsd.org>
Sent: Wednesday, October 29, 2003 9:04 AM
Subject: Re: ipsec tunnels & packet length issues

> Eric Masson:
> >>>>>> "Michael" == Michael Sierchio <kudzu@tenebras.com> writes:
> >
> > Michael> You should allow for an IP header with options and the ESP
> > Michael> header, which is smaller than 1450. For SKIP I use 1366 as the
> > Michael> advertised MTU, and for IPsec usually 1436, unless I need to
> > Michael> accomodate ESP and AH, in which case it's smaller.
> >
> >Ok, that's fine.
> >
> > Michael> It's a known feature of any sort of IP encapsulation.
> >
> >I understand.
> >
> >I'm no kernel hacker at all, I was just thinking about the ability for
> >the tunnel endpoint to send back an icmp packet type 3 code 4 when the
> >packet is too long to be encapsulated.
>
> Actually this is the case. Or better, it *should* be happening - I don't
> know if you see the ICMPs or not. Note that this must be done on the
> local tunnel endpoint, not the remote one.
>
> Helge
> _______________________________________________
> freebsd-net@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
>
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"

Next message: Nucleo de Pesquisa e Desenvolvimento: "IPSEC in tunnel mode ( possible? )"

Previous message: Eric Masson: "Re: ipsec tunnels & packet length issues"
In reply to: Helge Oldach: "Re: ipsec tunnels & packet length issues"
Next in thread: Lars Eggert: "Re: ipsec tunnels & packet length issues"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]