On 23.12.2019 15:00, Andrey V. Elsukov wrote:
> On 20.12.2019 18:23, Victor Sudakov wrote:
>> Dear Colleagues,
>>
>> I've set up IPSec in transport mode between two regular FreeBSD hosts,
>> for testing. Now TCP sessions between those hosts don't work normally
>> any more. For example, scp is stalled almost immediately after starting
>> a file transfer, and so is interactive ssh eventually.
>>
>> I feel that the problem is somehow related to MTU, MSS and fragmentation
>> of ESP packets, because:
>>
>> 1. When IPSec is disabled, I can "ping -s1472 -D" the remote host all
>> right.
>>
>> 2. When IPSec is enabled, the maximum packet size I've been able to send
>> through is "ping -s1414 -D". ("ping -s1415 -D host-b" already disappears
>> in the void).
>
> I think the silence from ping is due to IPsec works asynchronously.
> I.e. when application sends data to the stack, it receives good feedback
> and thinks that data was send successful then it waits for reply.
> But IPsec consumes the data and then encrypted data will be send from
> crypto thread via callback. And now they can not be fragmented due to
> IP_DF bit, but there are no app waiting for this error code.
>
> Similar problem is with TCP. Probably we can try to send PRC_MSGSIZE
> notify when EMSGSIZE is returned from ip_output(). At least for TCP.Hi, I prepared the PoC patch that should fix the problem with TCP and transport mode IPsec. But I have not free time currently to properly test and debug it. It is only compile-tested. But If you want, you can try :) Currently only IPv4 support is implemented. https://people.freebsd.org/~ae/ipsec_transport_mode_ctlinput.diff -- WBR, Andrey V. Elsukov
signature.asc
Description: OpenPGP digital signature
