questions on MTU

Nikos Mavrogiannopoulos nmav at gnutls.org
Sun Jun 2 05:00:48 EDT 2013


Hello,
 I have some issues with MTU on a particular link and I am trying to
figure out MTU handling in openconnect. It seems openconnect sends to
the server the MTU value of the link (as seen from calculate_mtu()) and
then it sets as vpninfo->actual_mtu the value that was received by the
server.

Is that supposed to be the link MTU, or the MTU excluding any TLS or
DTLS headers? As it is handled now it is used as the latter, but that is
inconsistent with the initial value sent by the client on the same header.

Nevertheless, in both cases the handling of MTU using
gnutls_dtls_set_data_mtu() seems wrong.

1. If vpninfo->actual_mtu contains the link MTU, then the current
behavior is to add to the link MTU the DTLS headers, MAC etc., thus
packet sizes will exceed the actual MTU.

I think that gnutls_dtls_set_mtu() should be called with the MTU value
and then the real data MTU for this connection can be seen using
gnutls_dtls_get_mtu().

2. If vpninfo->actual_mtu contains the MTU after all headers, then the
current behavior again exceeds it by setting it as actual_mtu+1. The
correct should have been to set it as actual_mtu.

Am I missing something from these interpretations?

btw. Some DTLS overhead values for different ciphersuites and 1500
initial mtu:
AES-xxx-CBC-SHA1: 65 bytes
AES-xxx-GCM: 33 bytes (that one is available from DTLS 1.2 and later)

I am also experimenting with SALSA20 with UMAC [0] which gives an
overhead of 25 bytes and other performance benefits.

regards,
Nikos

[0]. http://nmav.gnutls.org/2013/05/salsa20-and-umac-in-tls.html



More information about the openconnect-devel mailing list