On 17.01.2020 12:36, Victor Sudakov wrote: > Back to the point. I've figured out that both encrypted (in transport > mode) and unencrypted TCP segments have the same MSS=1460. Then I'm > completely at a loss how the encrypted packets avoid being fragmented. > TCP has no way to know in advance that encryption overhead will be > added.
For IPsec endpoints (i.e. when you encrypt own sessions) TCP for each outgoing packet invokes IPSEC_HDRSIZE() method, that returns approximate size required for IPsec, and using this information it calculates MSS. I think this should work in this way. -- WBR, Andrey V. Elsukov
signature.asc
Description: OpenPGP digital signature
