Your browser failed to load CSS style sheets. Your browser or web proxy might not support elliptic-curve TLS

Building network automation solutions

9 module online course

Start now!
back to overview

Updated: Impact of IP Fragmentation on Tunnels and Encryption

The last bits of updated Never-Ending Story of IP Fragmentation were published a few days ago: IP fragmentation and tunnels and summary and related blog posts, RFCs and other articles.

Please read our Blog Commenting Policy before writing a comment.

4 comments:

  1. PMTUD and UDP/multicast? Should it work?

    I have such cases in my network where the IPIP tunnel reduced the MTU and the UDP/multicast packets have size of 1500 bytes...

    I wonder what is your suggestion in such case....

    ReplyDelete
    Replies
    1. As you're dealing with multicast and UDP, the only solution is to solve the problem on the application layer, worst case limiting the MTU to minimum MTU that MUST be passed by all IPv6 routers (= 1280). I don't have a better answer :(

      Delete
    2. Change the app behavior in legacy protocol? Theoretically good idea as long as you can convince the sponsor to pay for it, and the risk is accepted (the risk of changing legacy protocol deployed in thousands of Customers).


      Instead decided to enforce the fragmentation & reassembly on the IPIP tunnel (on both devices terminating the tunnel). DF is ignored.
      But it wasn't so easy to do this. Some vendors do not support such feature. Sometimes you need to switch to IPSec-nul encryption and do post-encryption fragmentation (the de-fragmentation is implicit just because to decrypt the packet it needs to be de-fragmented first). And it works as long as the IPSec can be a part of your product.

      There are many such cases where the solution is driven by business factors. Real life. Usually much more complicated than we can expect.

      Delete
    3. You asked me for a technical opinion. I did my best. You can’t implement it. I get that, but there’s nothing I can do about that. It’s not like RFC 1122 was published last year... and sometimes you have to decide between implementing a dirty kludge (and a performance hit in your case) or walking away from the problem.

      Honestly, after too many kludges I had to live with, I tend to walk away these days. My sanity is precious and my time on this planet is limited. I also understand that’s not an option for everyone.

      Apologize for the rant.
      Ivan

      Delete

Constructive courteous comments are most welcome. Anonymous trolling will be removed with prejudice.

Sidebar