| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 30 Jan 2014 16:59:45 +0100 From: Hannes Frederic Sowa <hannes@...essinduktion.org> To: Simon Schneider <simon-schneider@....net> Cc: netdev@...r.kernel.org Subject: Re: Re: IPv4 / IPv6 over IPv4 IPsec tunnel: setting the DF bit On Thu, Jan 30, 2014 at 04:26:24PM +0100, Simon Schneider wrote: > Hi Hannes, > thanks once again for the quick reply. > > Quickly checked the ip manpage. I'm clear about the case where pmtudisc is in effect (default) - the DF bit must be TRUE in this case, for PMTUD to work. > > Not sure what you meant by: > > "but DF bit should get copied from inner packet up to tunnel header in every > case" > > Do you mean the nopmtudisc case? Exactly. In nopmtudisc mode the flag is set based on the inner protocols df bit, default cleared. In pmtudisc mode the DF-flag is always set. > Also, IPv6 must be different then - there's no DF bit to be copied. If packet cannot traverse a router frag_needed is returned, tunnel endpoint relays the icmp info to the original sender and it should update its pmtu. There is no way to fragment the packet mid-path. Also IPv6 tunnel endpoint do not fragment the tunnel packets while encapsulating. ipsec mode tunnel is allowed to fragment the packets while encapsulation. > Could you please clarify? Hope I did. ;) Greetings, Hannes -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists