Re: MTU path discovery and IPSec

2003-12-10 Thread Barney Wolff
On Wed, Dec 10, 2003 at 03:43:59PM -0500, Joe Maimon wrote: > > Packets are fragmented into equally sized units to prevent further > downstream fragmentation. For amusement's sake, in response to a challenge from Crist Clark, here's code to do it right. Pretty simple, although I have no idea ho

Re: MTU path discovery and IPSec

2003-12-10 Thread Joe Maimon
Joe Maimon wrote: Tony Rall wrote: On Wednesday, 2003-12-03 at 09:38 PST, David Sinn <[EMAIL PROTECTED]> wrote: I was wondering would it not be wiser for fraggers to frag in half instead of just the overflow? I noticed today this URL http://www.cisco.com/en/US/products/sw/iosswr

Re: MTU path discovery and IPSec

2003-12-05 Thread Michael . Dillon
>Is there any discussion on better alternatives to PMTUD such as leaving >off DF and a new ICMP subtype, rate limited, to inform senders that >they've been fragged and at what (call it reverse PMTUD?) ? There is a better alternative that is already used in production. When a router receives pac

Re: MTU path discovery and IPSec

2003-12-04 Thread Valdis . Kletnieks
On Thu, 04 Dec 2003 17:22:23 PST, Crist Clark said: > Excerise for the reader: > > Devise an algorthm that will take an arbitrarily sized packet 20-65535 > octets and an arbitrarily sized MTU, > 576 octets, and split the > packet into the minimum number of "n" fragments where each fragment is >

Re: MTU path discovery and IPSec

2003-12-04 Thread Joe Maimon
Laurence F. Sheldon, Jr. wrote: Crist Clark wrote: Joe Maimon wrote: Tony Rall wrote: On Wednesday, 2003-12-03 at 09:38 PST, David Sinn <[EMAIL PROTECTED]> wrote: (And note that frag 1 often is not the first fragment to arrive at downstream nodes. In my exampl

Re: MTU path discovery and IPSec

2003-12-04 Thread Laurence F. Sheldon, Jr.
Crist Clark wrote: > > Joe Maimon wrote: > > > > Tony Rall wrote: > > > > >On Wednesday, 2003-12-03 at 09:38 PST, David Sinn <[EMAIL PROTECTED]> wrote: > > > > > > > > > >(And note that frag 1 often is not the first fragment to arrive at > > >downstream nodes. In my example in (1), frequently f

Re: MTU path discovery and IPSec

2003-12-04 Thread Joe Maimon
Crist Clark wrote: Joe Maimon wrote: Tony Rall wrote: On Wednesday, 2003-12-03 at 09:38 PST, David Sinn <[EMAIL PROTECTED]> wrote: (And note that frag 1 often is not the first fragment to arrive at downstream nodes. In my example in (1), frequently frag 2 will reach pl

Re: MTU path discovery and IPSec

2003-12-04 Thread Joe Maimon
[EMAIL PROTECTED] wrote: On Thu, 04 Dec 2003 18:03:38 EST, Barney Wolff said: That's not how PMTUD works. If DF is set, you discard the packet and report back with ICMP. If DF is not set, you frag the packet - but that's not PMTUD, because no report ever goes back to the sender. Oh, s

Re: MTU path discovery and IPSec

2003-12-04 Thread Crist Clark
Joe Maimon wrote: > > Tony Rall wrote: > > >On Wednesday, 2003-12-03 at 09:38 PST, David Sinn <[EMAIL PROTECTED]> wrote: > > > > > > > > > > > >(And note that frag 1 often is not the first fragment to arrive at > >downstream nodes. In my example in (1), frequently frag 2 will reach > >places

Re: MTU path discovery and IPSec

2003-12-04 Thread Valdis . Kletnieks
On Thu, 04 Dec 2003 18:03:38 EST, Barney Wolff said: > That's not how PMTUD works. If DF is set, you discard the packet and > report back with ICMP. If DF is not set, you frag the packet - but > that's not PMTUD, because no report ever goes back to the sender. Oh, so we compute ONE number if DF

Re: MTU path discovery and IPSec

2003-12-04 Thread Joe Maimon
Barney Wolff wrote: On Thu, Dec 04, 2003 at 05:54:42PM -0500, [EMAIL PROTECTED] wrote: On Thu, 04 Dec 2003 16:40:45 EST, Joe Maimon <[EMAIL PROTECTED]> said: I was wondering would it not be wiser for fraggers to frag in half instead of just the overflow? There's 2 cases here: 1

Re: MTU path discovery and IPSec

2003-12-04 Thread Barney Wolff
On Thu, Dec 04, 2003 at 05:54:42PM -0500, [EMAIL PROTECTED] wrote: > On Thu, 04 Dec 2003 16:40:45 EST, Joe Maimon <[EMAIL PROTECTED]> said: > > I was wondering would it not be wiser for fraggers to frag in half > > instead of just the overflow? > > There's 2 cases here: > > 1) This is the fina

Re: MTU path discovery and IPSec

2003-12-04 Thread Valdis . Kletnieks
On Thu, 04 Dec 2003 16:40:45 EST, Joe Maimon <[EMAIL PROTECTED]> said: > I agree with all I have snipped. > I was wondering would it not be wiser for fraggers to frag in half > instead of just the overflow? There's 2 cases here: 1) This is the final frag on the path - if PMTUD is in use, we wa

Re: MTU path discovery and IPSec

2003-12-04 Thread Joe Maimon
Tony Rall wrote: On Wednesday, 2003-12-03 at 09:38 PST, David Sinn <[EMAIL PROTECTED]> wrote: (And note that frag 1 often is not the first fragment to arrive at downstream nodes. In my example in (1), frequently frag 2 will reach places before frag 1 does (if any router along the path

Re: MTU path discovery and IPSec

2003-12-04 Thread Tony Rall
On Wednesday, 2003-12-03 at 09:38 PST, David Sinn <[EMAIL PROTECTED]> wrote: > Given the nastiness of ICMP DDoS attacks of late, it might be better to hit > the server and client admin's with the clue bat about not using PMTU > discovery (which also extends to the writers of the App's and OS's).

RE: MTU path discovery and IPSec

2003-12-04 Thread Arjan Hulsebos
Title: RE: MTU path discovery and IPSec > On Wed, 03 Dec 2003 16:05:39 GMT, [EMAIL PROTECTED]  said: > > > 1) I assume MTU path discovery has to been in enabled on > each router in the path in order for it work correctly?! > > Actually, no.  All that's required i

Re: MTU path discovery and IPSec

2003-12-03 Thread Owen DeLong
--On Wednesday, December 3, 2003 11:39 AM -0500 [EMAIL PROTECTED] wrote: On Wed, 03 Dec 2003 16:05:39 GMT, [EMAIL PROTECTED] said: 1) I assume MTU path discovery has to been in enabled on each router in the path in order for it work correctly?! Actually, no. All that's required is that: a)

Re: MTU path discovery and IPSec

2003-12-03 Thread David Sinn
> Chris Proctor > EPIK Communications > >> -Original Message- >> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] >> Sent: Wednesday, December 03, 2003 11:39 AM >> To: [EMAIL PROTECTED] >> Cc: [EMAIL PROTECTED] >> Subject: Re: MTU path discover

RE: MTU path discovery and IPSec

2003-12-03 Thread cproctor
at the firewall. Chris Proctor EPIK Communications > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Sent: Wednesday, December 03, 2003 11:39 AM > To: [EMAIL PROTECTED] > Cc: [EMAIL PROTECTED] > Subject: Re: MTU path discovery and IPSec > >

Re: MTU path discovery and IPSec

2003-12-03 Thread Valdis . Kletnieks
On Wed, 03 Dec 2003 16:05:39 GMT, [EMAIL PROTECTED] said: > 1) I assume MTU path discovery has to been in enabled on each router in the path in > order for it work correctly?! Actually, no. All that's required is that: a) The router handle the case of a too-large packet with the DF bit set by

Re: MTU path discovery and IPSec

2003-12-03 Thread Owen DeLong
A subtle correction... A router where all MTUs are the same will never have to fragement anything. A router where all MTUs are >=1500 will probably not need to fragment anything. However, it is possible to attach a host via GIG-E or other media which supports jumbo frames (Frame relay, for examp

Re: MTU path discovery and IPSec

2003-12-03 Thread Steven M. Bellovin
In message <[EMAIL PROTECTED]>, [EMAIL PROTECTED] writes: > >Two questions: > >1) I assume MTU path discovery has to been in enabled on each router in the pa >th in order for it work correctly?! No -- it only has to be enabled on routers with smaller outbound MTUs than inbound. A router for whi

MTU path discovery and IPSec

2003-12-03 Thread jgraun
Two questions: 1) I assume MTU path discovery has to been in enabled on each router in the path in order for it work correctly?! 2) Anybody use this to solve application issues over an IPSec tunnel to due to large of a frame? any help would be great Thanks