netdev
[Top] [All Lists]

Re: IPsec and Path MTU

To: "David S. Miller" <davem@xxxxxxxxxx>
Subject: Re: IPsec and Path MTU
From: Michael Richardson <mcr@xxxxxxxxxxxxxxxxxxxxxx>
Date: Fri, 18 Jun 2004 23:33:34 -0400
Cc: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>, kuznet@xxxxxxxxxxxxx, jmorris@xxxxxxxxxx, netdev@xxxxxxxxxxx
In-reply-to: Message from "David S. Miller" <davem@xxxxxxxxxx> of "Thu, 17 Jun 2004 16:14:03 PDT." <20040617161403.2d0ee598.davem@xxxxxxxxxx>
References: <20040615124334.GA25164@xxxxxxxxxxxxxxxxxxx> <20040616195653.GC29781@xxxxxxxxxxxxx> <20040616231317.GA5742@xxxxxxxxxxxxxxxxxxx> <20040617190158.GA10925@xxxxxxxxxxxxx> <20040617213832.GC14089@xxxxxxxxxxxxxxxxxxx> <20040617152921.730892c7.davem@xxxxxxxxxx> <20040617231241.GB14739@xxxxxxxxxxxxxxxxxxx> <20040617161403.2d0ee598.davem@xxxxxxxxxx>
Sender: netdev-bounce@xxxxxxxxxxx
-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "David" == David S Miller <davem@xxxxxxxxxx> writes:
    >> In my case, the ICMP message is not coming from the remote IPsec
    >> gateway or a router in front of it.  It's coming from a host
    >> behind it.  So the original IP header is in the ICMP message, in
    >> the clear.

    David> Remote gateway is supposed to encapsulate the ICMP message
    David> and send it back to the other gateway isn't it?

Maybe. Maybe not.
The policy may be per-port, or based upon some other more complicated
policy. 

- --
]     "Elmo went to the wrong fundraiser" - The Simpson         |  firewalls  [
]   Michael Richardson,    Xelerance Corporation, Ottawa, ON    |net architect[
] mcr@xxxxxxxxxxxxx      http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBQNO0DYqHRg3pndX9AQF28QP/bSgt3W2Sp6NOh4qevn/wtTcbjfE+ku0W
KRIChkF4Npot65yQKUzkwm1aV6xxcq+jPTIrgM4BASoOtrMNug2nj7EBowTSHImK
abY8KrB2JZsCFIQpa8M0vB89gJ41ufq2NaavLsjkwsPLZZX/IYtrnd8Drt4nAT5s
MqXS3xwaoxU=
=feOK
-----END PGP SIGNATURE-----

<Prev in Thread] Current Thread [Next in Thread>