Mixing if_ipsec in 11.1 with old policy based IPSEC
Hi list, I'm trying to get some docs and examples about the new if_ipsec code. For what I read now, it seems to be a bit tricky* running legacy policy based IPSEC in combination with on route based IPSEC with Strongswan. Is it possible to mix them for bigger sites running e.g. one Azure VPN and multiple legacy VPNs to customers? Thanks! Michael [*] https://genneko.github.io/playing-with-bsd/networking/freebsd-vti-ipsec ___ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
TCP Retransmission meet some problem.
Hello, everyone. Recently, I work with a eCos project, It's network stack using freebsd version(Not sure Exactly version, SDK is provide by others). Everything work fine before I meet a problem. When local http server return packet to borwser, sometimes retransmission happened. But rarely in resent tcp payload contain previous sented packet header! (all things are same). cases like this: ... Browser: Sequence number:444, Acknowledgment number: 4600 NetStack:Sequence number:4600, Acknowledgment number: 444 NetStack:Sequence number:7819, Acknowledgment number:444 (Previous segment lost?) Browser: Sequence number:444, Acknowledgment number: 6060 NetStack:Sequence number:6060, Acknowledgment number: 444 (Retansmission happened) ... Sequence 6060 contain 7819's header(Socket cache have been changed). I guess mbuf header of 7819's write it's protocol header info to 6060's cluster. Anyone know something about this? Best Regrads. ___ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
Re: why not enable tcp_pmtud_blackhole_detect in default
Cheng, We run this in production at Limelight Networks (i.e toward a broad spectrum of Internet hosts) and must to deal with some uncommon network topology. There are currently some limitations as you point out. Like you say the signaling is not perfect and we do often clamp MSS unnecessarily. There is also no probing to see if we can expand the MSS later. I think those issues should be fixed up before it's enabled by default and I don't know anyone working on it at the moment. Regards, On Wed, Mar 7, 2018 at 8:35 AM, Cui, Chengwrote: > Dear all, > > Reading through the tcp blackhole detection code (support RFC 4821) in > FreeBSD including the recent bug fixes, I am wondering why is it still not > enabled in default? Given the fact that this implementation was a merge from > xnu, and the xnu has enabled it in default, do we have a plan to enable it in > default? Or is there any concern about the side-effect from it as performance > regression against some false positive blackhole event like a temporary link > flap, which is long enough to trigger a lower MSS but shorter than 6 RTO? > > https://opensource.apple.com/source/xnu/xnu-1456.1.26/bsd/netinet/tcp_timer.c.auto.html > << enabled in macOS 10.6 > https://reviews.freebsd.org/rS322967 << bug fixes > https://reviews.freebsd.org/rS272720 << merge from xnu > > Thanks, > --Cheng Cui > NetApp Scale Out Networking > https://netapp-meeting.webex.com/meet/chengc > > > ___ > freebsd-net@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org" ___ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
why not enable tcp_pmtud_blackhole_detect in default
Dear all, Reading through the tcp blackhole detection code (support RFC 4821) in FreeBSD including the recent bug fixes, I am wondering why is it still not enabled in default? Given the fact that this implementation was a merge from xnu, and the xnu has enabled it in default, do we have a plan to enable it in default? Or is there any concern about the side-effect from it as performance regression against some false positive blackhole event like a temporary link flap, which is long enough to trigger a lower MSS but shorter than 6 RTO? https://opensource.apple.com/source/xnu/xnu-1456.1.26/bsd/netinet/tcp_timer.c.auto.html << enabled in macOS 10.6 https://reviews.freebsd.org/rS322967 << bug fixes https://reviews.freebsd.org/rS272720 << merge from xnu Thanks, --Cheng Cui NetApp Scale Out Networking https://netapp-meeting.webex.com/meet/chengc ___ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"