Re: IPSEC transport mode w/2.2.x kernels and large packets

Andi Kleen (ak@muc.de)
Sat, 7 Aug 1999 19:50:02 +0200

On Sat, Aug 07, 1999 at 06:07:40PM +0200, Richard Guy Briggs wrote:
> > Now TCP generates frames the right size for optimal performance, everything
> > else hands down full datagrams and the world is a happier place.
> >
> > You can't run path MTU discovery with IPsec. The DF could be faked and aimed
> > at dropping your link to unusably low speeds. Ignoring the DF could equally
> > be a complete link failure. So you don't run mtu discovery.
>
> Right, IPSECed packets should arguably never have DF set. From the
> RFCs, IIRC, this is configurable.

They should. Writing a protocol in the 90ies which does not support
path mtu discovery is a very bad idea. Fragmented packets mean that
the congestion avoidance algorithms used by TCP have much worse performance
than otherwise. You should either do pmtudisc yourself, or at least allow
the end2end hosts to do it themselves (second is better)

If you want to support IPv6 you'll need that anyways. DF is the default
there and cannot be turned off.

> I am still fiddling with bits and pieces to try to figure out where to
> set the mss without affecting the MTU of that device or that route?
> Can you be very specific about which members of which structures do
> this? I assumed that skb->dst->pmtu was one, but I am not certain.
> Are they actually named 'mss'?

Just set the MTU of the device correct. Then it'll happen for you.

-Andi

-- 
This is like TV. I don't like TV.


-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/