On Thu, Mar 06, 2008 at 11:47:37PM +0100, openbsd misc wrote: > > -----Urspr|ngliche Nachricht----- > > Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > > Im Auftrag von George Paschos > > Gesendet: Donnerstag, 6. Mdrz 2008 11:47 > > An: misc@openbsd.org > > Betreff: Regarding MTU values on 802.1q trunked physical > > interfaces (and more) > > > > Hello all, > > > > I am a bit confused regarding the MTU value of the physical ethernet > > interfaces when there are vlan child interfaces configured, > > in regard to > > avoid unneeded fragmentation: > > > > "ifconfig" shows an MTU of 1500 for both the parent and the vlan > > interface. Should I increase by hand the mtu of the physical parent > > interface to accommodate the extra bytes for the vlan tags or this is > > taken care from the operating system someway when you define > > a physical > > interface as parent to a vlan one? > > > > Also as an extension to the previous question: > > When using IPSEC tunnels under openbsd, is there a need to > > increase the > > physical interface's MTU to accommodate ipsec overhead? And > > if yes, what > > would be that "magic" value from your experience? > > enc0 reports an MTU of 1536 which sounds logical, but that wouldnt > > prevent fragmentation if the interface that the ipsec traffic > > originates/terminates is at 1500. > > Ofc regarding the above, the rest of networking equipment between the > > ipsec endpoints (switches, routers, etc) has been configured to handle > > correctly the bigger mtu values. > > > > Thanks in advance on any insight > > > > Regards, > > George > > > > > > Hello, > > AFAIK the VLAN "overhead" should be handled by your nic (driver) - the mtu set > to 1500 is the packet size without (jumbo frame) extensions - my understanding > is, that it is the same for ipsec - as long as the frame that should go > through the tunnel has a size <= 1500 fragmentation will not take place, the > ipsec interface itself need the overhead (1536 - 1500) for the ipsec tunnel. > You see the difference because it's software, not nic/driver ... >
The drivers have a flag to specify if they are capable of doing oversized packets (and so allow a 1500 bytes MTU on the vlan interface). There is no such thing for IPsec. By default IPsec will send out ICMP fragmentation needed messages to make the client lower the MTU/MSS of the connection. You could increase the MTU of the interface with the IPsec traffic on it but that will only work if the full path to the other end has a equal or bigger MTU (you can't expect that for anything passing the internet). -- :wq Claudio
