Christian Hopps <[email protected]> wrote: >> The ingress node encrypts this packet and adds the IPsec >> encapsulation, and this IPsec-processed packet is also larger than the >> Link MTU. The ingress node fragments this IPsec-processed packet and >> sends all the fragments to the egress node.
> This should not happen. The ingress node should first fragment the
> inner IP packet so that it fits in the tunnel (i.e., so that the ESP
> packets it creates do not violate it's own MTU).
You can't do that if DF=1, or IPv6.
You can form big ESP packets and then fragment them, even with IPv6.
DF=0 for IPv4 on ESP packets is good, until there is a firewall that cant
cope with fragments.
--
Michael Richardson <[email protected]> . o O ( IPv6 IøT consulting )
Sandelman Software Works Inc, Ottawa and Worldwide
signature.asc
Description: PGP signature
_______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
