Updated: Impact of IP Fragmentation on Tunnels and Encryption
The last bits of updated Never-Ending Story of IP Fragmentation were published a few days ago: IP fragmentation and tunnels and summary and related blog posts, RFCs and other articles.
Recent posts in the same categories
Internet
- Fun Reading: History of the Early Internet
- Worth Reading: Internet WAN Edge Design
- New Webinar: Internet Routing Security
- Worth Reading: Using LEO and GEO Satellite Internet
- OMG: Hop-by-Hop Path MTU Discovery
- Telephone System Is a Bad Example of Hierarchical Addresses
IPsec
- High-Speed IPsec on Snabb Switch on Software Gone Wild
- More PCAP Challenges from Johannes Weber
- New: Metro- and Carrier Ethernet Encryptors Market Overview
- Just Out: Metro- and Carrier Ethernet Encryptors Market Overview
- Evaluation Guide: Encryptors for Metro and Carrier Ethernet
- Could You Replace MPLS/VPN with IPSec-over-Internet?
I have such cases in my network where the IPIP tunnel reduced the MTU and the UDP/multicast packets have size of 1500 bytes...
I wonder what is your suggestion in such case....
Instead decided to enforce the fragmentation & reassembly on the IPIP tunnel (on both devices terminating the tunnel). DF is ignored.
But it wasn't so easy to do this. Some vendors do not support such feature. Sometimes you need to switch to IPSec-nul encryption and do post-encryption fragmentation (the de-fragmentation is implicit just because to decrypt the packet it needs to be de-fragmented first). And it works as long as the IPSec can be a part of your product.
There are many such cases where the solution is driven by business factors. Real life. Usually much more complicated than we can expect.
Honestly, after too many kludges I had to live with, I tend to walk away these days. My sanity is precious and my time on this planet is limited. I also understand that’s not an option for everyone.
Apologize for the rant.
Ivan