lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:	Thu, 30 Jan 2014 16:59:45 +0100
From:	Hannes Frederic Sowa <>
To:	Simon Schneider <>
Subject: Re: Re: IPv4 / IPv6 over IPv4 IPsec tunnel: setting the DF bit

On Thu, Jan 30, 2014 at 04:26:24PM +0100, Simon Schneider wrote:
> Hi Hannes,
> thanks once again for the quick reply.
> Quickly checked the ip manpage. I'm clear about the case where pmtudisc is in effect (default) - the DF bit must be TRUE in this case, for PMTUD to work.
> Not sure what you meant by:
> "but DF bit should get copied from inner packet up to tunnel header in every
> case"
> Do you mean the nopmtudisc case?

Exactly. In nopmtudisc mode the flag is set based on the inner protocols df
bit, default cleared. In pmtudisc mode the DF-flag is always set.

> Also, IPv6 must be different then - there's no DF bit to be copied.

If packet cannot traverse a router frag_needed is returned, tunnel
endpoint relays the icmp info to the original sender and it should update
its pmtu. There is no way to fragment the packet mid-path.

Also IPv6 tunnel endpoint do not fragment the tunnel packets while

ipsec mode tunnel is allowed to fragment the packets while encapsulation.

> Could you please clarify?

Hope I did. ;)



To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to
More majordomo info at

Powered by blists - more mailing lists