> 1) Can anyone recommend some good reference materials on this subject?
I assume that you have a copy of Richard Stevens "TCP/IP Illustrated Volume 1", I suggest that you go to section 11.5 (pages 148-156) and get it from the guru himself. If you need more information, then get a copy of "Fragmentation Considered Harmful" by Kent and Mogul 1987 from the Computer Communication Review Vol. 17, No. 5, pages 390-401. > 2) Given that I only have control over the OpenBSD end of this VPN > connection, (the other end being a Cisco 7200 VXR), is it even > possible to eliminate fragmentation issues? Yes and no :( It will depend on your situation: - So long as you are not hosting services on the network(s) behind your OpenBSD vpn peer, then it may be as simple as setting the max-mss in your pf.conf. scrub in on $int_if all no-df max-mss 1440 fragment reassemble You'll have to find the optimal MTU for your setup. An MTU=1300 should be safe but I would do a simple ping and vary the MTU: ping -c 2 -D -s 1440 some_host_behind_Cisco_vpn_peer In August 2003, I had a wonderful time with fragmentation issues. There was a Virus (can't recall the name) out that was targeting the ICMP protocol and it was plaguing the Internet and corporate Intranets big time. As a counter-measure, Administrators started blocking some if not all icmp-types and their related icmp-codes essential for host to router and router to router communications, in particular to us, ICMP type 3 code 4. Unfortunately for me, this happened just as I joined a new company where fragmentation had haunted this company for years. Without icmp type 3 code 4 messages coming back to us, hosts would not even know to fragment the packets. Needless to say, this was our death knell :( Thanks to the virus, I quickly became aware that we did have a fragmentation problem. The problem for me is that we were hosting services for other offices. Just lowering the MTU on our side fixed things for hosts on our side of the vpn peer. But it was not the case for hosts hitting our servers coming from the other end. I didn't have any control over the other vpn peer and the admin was hesitant to make any MTU changes because we weren't the only vpn peer connecting to there vpn router. I think that the IOS that they were running at the time did not have the ability to change the MTU. So even when the virus thing went away, fragmentation was only half solved. We subsequently moved to a dedicated MPLS line and fragmentation was never an issue thereafter. - If you can have the Cisco Admins lower the MTU on their vpn peer as you do yours, then the problem should be solved altogether. If you need more reading, this may help. http://www.snailbook.com/faq/mtu-mismatch.auto.html I hope that this was useful :) Cheers, Mark T. Uemura OpenBSD Support Japan Inc. http://www.openbsd-support.com
