Re: Looking for info re: IPSec & MTU

2005-05-22 Thread Mark Uemura
> 1) Can anyone recommend some good reference materials on this subject?

I assume that you have a copy of Richard Stevens 
"TCP/IP Illustrated Volume 1", I suggest that you go to 
section 11.5 (pages 148-156) and get it from the guru himself.  

If you need more information, then get a copy of 
"Fragmentation Considered Harmful" by Kent and Mogul 1987 
from the Computer Communication Review Vol. 17, No. 5, pages 390-401.
 
> 2) Given that I only have control over the OpenBSD end of this VPN
>connection, (the other end being a Cisco 7200 VXR), is it even
>possible to eliminate fragmentation issues?

Yes and no :( 

It will depend on your situation:  

- So long as you are not hosting services on the network(s) behind
  your OpenBSD vpn peer, then it may be as simple as setting the 
  max-mss in your pf.conf. 

  scrub in on $int_if all no-df max-mss 1440 fragment reassemble

  You'll have to find the optimal MTU for your setup.  An MTU=1300
  should be safe but I would do a simple ping and vary the MTU:

  ping -c 2 -D -s 1440 some_host_behind_Cisco_vpn_peer 

  In August 2003, I had a wonderful time with fragmentation issues.
  There was a Virus (can't recall the name) out that was targeting
  the ICMP protocol and it was plaguing the Internet and corporate
  Intranets big time.  As a counter-measure, Administrators started 
  blocking some if not all icmp-types and their related icmp-codes 
  essential for host to router and router to router communications, 
  in particular to us, ICMP type 3 code 4.  Unfortunately for me,
  this happened just as I joined a new company where fragmentation
  had haunted this company for years.  Without icmp type 3 code 4
  messages coming back to us, hosts would not even know to fragment
  the packets.  Needless to say, this was our death knell :( 
  Thanks to the virus, I quickly became aware that we did have a 
  fragmentation problem.

  The problem for me is that we were hosting services for other 
  offices. Just lowering the MTU on our side fixed things for hosts 
  on our side of the vpn peer.  But it was not the case for hosts 
  hitting our servers coming from the other end.  I didn't have 
  any control over the other vpn peer and the admin was hesitant
  to make any MTU changes because we weren't the only vpn peer 
  connecting to there vpn router.  I think that the IOS that they
  were running at the time did not have the ability to change the
  MTU.  So even when the virus thing went away, fragmentation was
  only half solved.  We subsequently moved to a dedicated MPLS 
  line and fragmentation was never an issue thereafter. 

- If you can have the Cisco Admins lower the MTU on their vpn peer
  as you do yours, then the problem should be solved altogether. 

If you need more reading, this may help.

http://www.snailbook.com/faq/mtu-mismatch.auto.html 

I hope that this was useful :)

Cheers,

Mark T. Uemura
OpenBSD Support Japan Inc.
http://www.openbsd-support.com



Re: Looking for info re: IPSec & MTU

2005-05-22 Thread Fernando Gont

Richard P. Koett wrote:


I notice that we're receiving some fragmented packets, however. It's
not a big deal but I'd like to see if things can be better optimized
(and learn a bit in the process). I understand the basic concept of MTU
but it's not something I usually have to tinker with. I'm hoping
someone might care to answer a couple of questions for me:

1) Can anyone recommend some good reference materials on this subject?
 


RFC 1191. (Yes, it will probably be easier to understand that a one-page
explanation in a textbook)



2) Given that I only have control over the OpenBSD end of this VPN
  connection, (the other end being a Cisco 7200 VXR), is it even
  possible to eliminate fragmentation issues?
 


Yes, but depends on the implementation of the involved systems. One
hand, the VPN tunnels should be clever enough to process the ICMP error
messages they receive, keeping in mind the fact you are tunneling packets.
On the other hand, if the involved routers only include the (entire IP
header + 64 bits of original payload) actually required by the IETF
specs, even if the tunnel machines are clever enough, they won't have
the information to demultiplex the messages accordingly.

--
Fernando Gont
e-mail: [EMAIL PROTECTED] || [EMAIL PROTECTED]



Re: Looking for info re: IPSec & MTU

2005-05-22 Thread Stuart Henderson

--On 21 May 2005 17:14 -0700, Richard P. Koett wrote:


I notice that we're receiving some fragmented packets, however. It's
not a big deal but I'd like to see if things can be better optimized
(and learn a bit in the process). I understand the basic concept of
MTU but it's not something I usually have to tinker with. I'm hoping
someone might care to answer a couple of questions for me:

1) Can anyone recommend some good reference materials on this subject?





2) Given that I only have control over the OpenBSD end of this VPN
   connection, (the other end being a Cisco 7200 VXR), is it even
   possible to eliminate fragmentation issues?


'max-mss' in pf.conf should help.



Looking for info re: IPSec & MTU

2005-05-21 Thread Richard P. Koett
OpenBSD is working great instead of the Cisco router that our VPN peer
recommended. Thanks again to the developers who make it all possible.

I notice that we're receiving some fragmented packets, however. It's
not a big deal but I'd like to see if things can be better optimized
(and learn a bit in the process). I understand the basic concept of MTU
but it's not something I usually have to tinker with. I'm hoping
someone might care to answer a couple of questions for me:

1) Can anyone recommend some good reference materials on this subject?

2) Given that I only have control over the OpenBSD end of this VPN
   connection, (the other end being a Cisco 7200 VXR), is it even
   possible to eliminate fragmentation issues?

Thanks for any advice,
RPK.