Shifting policy to userspace and the daemons involved. Which is where it should
be. The whole point of the mss option originally was to allow users to drop
the MSS of a path for better performance.
> The hosts don't know that they communicating with a tunnel. So they don't
> know that they're supposed to ignore ICMP_FRAG_NEEDED. They don't. If the
> IPSec host doesn't generate it, someone else will. To avoid it you have
> to make sure that the network after the tunnel is secured.
Correct. But think about transport mode
> I don't see any advantage in breaking IP, just to avoid one possible DoS,
> when there are lots of others anyways, which cannot be avoided.
Its not breaking IP.
To do IPSEC with DF does require a little kernel tweaking because the
slack space for the crypto headers needs to be factored into the path mtu
computation. That can wait until after the basic solution
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/