[vpn-help] Fragmentation notes for NetBSD ...
Matthew Grooms
mgrooms at shrew.net
Sun Aug 20 21:02:52 CDT 2006
All,
I have been playing around with IPSEC fragmentation on NetBSD for the
past few weeks and wanted to post some notes. I would rather this info
didn't get lost in my head ...
There are two options with NetBSD. Normal IP fragmentation and the
special pre-fragmentation. The pre-fragmentation support ( enabled by
specifying esp_frag in raccon ) helps peers communicate when a broken
DSL router is being used that wont fragment or forward UDP packet larger
than a nominal DNS packet size ( ~540 bytes ). This option only supports
NATT communications. As the NetBSD client howto states, using TCP and
this feature is a special case. For example ...
If a vpn client makes a request for a web page and the web page returns
a packet larger than the esp_frag size, it will be dropped. An ICMP
message is then returned to the sender stating that the packet needs to
be fragmented. The sender should then adjust its packet size and
re-send. The problem is that most web services on the Internet block
ICMP messages for various reasons. For more info, see ...
http://www.netheaven.com/pmtu.html
The NetBSD howto suggest using TCP Maximum Segment Size Clamping on the
gateway firewall to avoid this scenario. If you clamp MSS so that the
segment size is lower than or equal to the esp_frag size, then all TCP
packets should pass because they wont need to be fragmented. For more
info, see ...
http://www.netbsd.org/Documentation/network/ipsec/rasvpn.html#more_frag
The other option is to disable the special pre-fragmentation support
and let IP fragment the UDP packets in the normal fashion. Everything
would work fine with this setup unless you run into a user that has an
antiquated DSL router.
Personally, I wish there was an option in NetBSD to go ahead and
pre-fragment the large TCP packets and skip the ICMP notifications. This
way, if you are using a client that knows how to pre-fragment ( like the
Shrew Soft Client ) or a client that can negotiate smaller MSS sizes (
like newer versions of the Cisco client ), you don't need to use MSS
clamping. If you support other peer types, you can still use MSS
clamping and everyone is still happy.
-Matthew
More information about the vpn-help
mailing list