date:20180307

Mixing if_ipsec in 11.1 with old policy based IPSEC

2018-03-07 Thread Muenz, Michael


Hi list,

I'm trying to get some docs and examples about the new if_ipsec code. 
For what I read now, it seems to be a bit tricky* running legacy policy 
based IPSEC in combination with on route based IPSEC with Strongswan. Is 
it possible to mix them for bigger sites running e.g. one Azure VPN and 
multiple legacy VPNs to customers?



Thanks!

Michael


[*] https://genneko.github.io/playing-with-bsd/networking/freebsd-vti-ipsec
___
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

TCP Retransmission meet some problem.

2018-03-07 Thread cameled yang

Hello, everyone.

Recently, I work with a eCos project, It's network stack using freebsd
version(Not sure Exactly version, SDK is provide by others).

Everything work fine before I meet a problem. When local http server return
packet to borwser, sometimes retransmission happened. But rarely in resent
tcp payload contain previous sented packet header! (all things are same).

cases like this:

...

Browser:  Sequence number:444,  Acknowledgment number: 4600

NetStack:Sequence number:4600, Acknowledgment number: 444

NetStack:Sequence number:7819, Acknowledgment number:444 (Previous
segment lost?)

Browser: Sequence number:444,   Acknowledgment number: 6060

NetStack:Sequence number:6060, Acknowledgment number: 444
(Retansmission happened)

...

Sequence 6060 contain 7819's header(Socket cache have been changed).

I guess mbuf header of 7819's write it's protocol header info to  6060's
cluster.

Anyone know something about this?

Best Regrads.
___
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

Re: why not enable tcp_pmtud_blackhole_detect in default

2018-03-07 Thread Kevin Bowling

Cheng,

We run this in production at Limelight Networks (i.e toward a broad
spectrum of Internet hosts) and must to deal with some uncommon
network topology. There are currently some limitations as you point
out.

Like you say the signaling is not perfect and we do often clamp MSS
unnecessarily.  There is also no probing to see if we can expand the
MSS later.

I think those issues should be fixed up before it's enabled by default
and I don't know anyone working on it at the moment.

Regards,

On Wed, Mar 7, 2018 at 8:35 AM, Cui, Cheng  wrote:
> Dear all,
>
> Reading through the tcp blackhole detection code (support RFC 4821) in 
> FreeBSD including the recent bug fixes, I am wondering why is it still not 
> enabled in default? Given the fact that this implementation was a merge from 
> xnu, and the xnu has enabled it in default, do we have a plan to enable it in 
> default? Or is there any concern about the side-effect from it as performance 
> regression against some false positive blackhole event like a temporary link 
> flap, which is long enough to trigger a lower MSS but shorter than 6 RTO?
>
> https://opensource.apple.com/source/xnu/xnu-1456.1.26/bsd/netinet/tcp_timer.c.auto.html
>   << enabled in macOS 10.6
> https://reviews.freebsd.org/rS322967  << bug fixes
> https://reviews.freebsd.org/rS272720  << merge from xnu
>
> Thanks,
> --Cheng Cui
> NetApp Scale Out Networking
> https://netapp-meeting.webex.com/meet/chengc
>
>
> ___
> freebsd-net@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
___
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

why not enable tcp_pmtud_blackhole_detect in default

2018-03-07 Thread Cui, Cheng

Dear all,

Reading through the tcp blackhole detection code (support RFC 4821) in FreeBSD 
including the recent bug fixes, I am wondering why is it still not enabled in 
default? Given the fact that this implementation was a merge from xnu, and the 
xnu has enabled it in default, do we have a plan to enable it in default? Or is 
there any concern about the side-effect from it as performance regression 
against some false positive blackhole event like a temporary link flap, which 
is long enough to trigger a lower MSS but shorter than 6 RTO?

https://opensource.apple.com/source/xnu/xnu-1456.1.26/bsd/netinet/tcp_timer.c.auto.html
  << enabled in macOS 10.6
https://reviews.freebsd.org/rS322967  << bug fixes
https://reviews.freebsd.org/rS272720  << merge from xnu

Thanks,
--Cheng Cui
NetApp Scale Out Networking
https://netapp-meeting.webex.com/meet/chengc


___
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

Mixing if_ipsec in 11.1 with old policy based IPSEC

TCP Retransmission meet some problem.

Re: why not enable tcp_pmtud_blackhole_detect in default

why not enable tcp_pmtud_blackhole_detect in default

4 matches

Site Navigation

Mail list logo

Footer information