Return to BSD News archive
Path: euryale.cc.adfa.oz.au!newshost.carno.net.au!harbinger.cc.monash.edu.au!news.cs.su.oz.au!metro!metro!munnari.OZ.AU!news.mel.connect.com.au!news.syd.connect.com.au!phaedrus.kralizec.net.au!news.mel.aone.net.au!news.netspace.net.au!news.mira.net.au!pumpkin.pangea.ca!eru.mt.luth.se!solace!nntp.se.dataphone.net!nntp.uio.no!news.maxwell.syr.edu!news-peer.sprintlink.net!news-peer.sprintlink.net!news.sprintlink.net!sprint!howland.erols.net!rill.news.pipex.net!pipex!warm.news.pipex.net!pipex!tank.news.pipex.n
et!pipex!news.utell.co.uk!usenet
From: brian@shift.utell.net (Brian Somers)
Newsgroups: comp.unix.bsd.freebsd.misc
Subject: Re: IPDIVERT and fragmentation
Date: 8 Apr 1997 09:24:16 GMT
Organization: Awfulhak Ltd.
Lines: 38
Message-ID: <5id2s0$8md@ui-gate.utell.co.uk>
References: <5ibgbu$at2$1@phoenix.kfu.com>
Reply-To: brian@awfulhak.org, brian@utell.co.uk
NNTP-Posting-Host: shift.utell.net
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Newsreader: knews 0.9.8
Xref: euryale.cc.adfa.oz.au comp.unix.bsd.freebsd.misc:38829
In article <5ibgbu$at2$1@phoenix.kfu.com>,
nsayer@quack.kfu.com (Nick Sayer) writes:
> I am thinking about implementing a virtual private network
> scheme for FreeBSD using ipfw and a divert channel.
>
> VPNs mean that you encrypt the traffic going between LAN A and
> LAN B as it passes over the Internet.
>
> My implementation is going to use UDP encapsulation, so the
> packets will get a tiny bit bigger as they travel over the
> Internet. The question is this:
>
> What happens if I had a packet that is too large for the MTU of
> the underlying medium to the 'out' side of a divert socket?
> Will the IP layer _after_ divert fragment the packet?
Yes. As long as it's not a broadcast packet.
> On the opposite side of the coin, what happens if a fragmented packet
> comes in from a network interface and is destined for a divert
> socket? Can I expect that the fragments have been collected
> and the packet reassembled before being given to me or must I assemble
> them myself?
Yes.
> advTHANKSance
When you "re-inject" using a divert socket, it goes back into
ip_{input,output} at the top of the routine rather than where
it left it to enter the divert socket in the first place. There's
some smart code in place that figures out that the packet has
already been diverted that avoids diverting it again.
--
Brian <brian@awfulhak.org> <brian@freebsd.org>
<http://www.awfulhak.demon.co.uk>
Don't _EVER_ lose your sense of humour !